[sf-lug] Hacked RHEL4/PHP4 server

Tom Haddon tom at greenleaftech.net
Wed May 21 22:32:24 PDT 2008


On Wed, 2008-05-21 at 22:28 -0700, Kristian Erik Hermansen wrote:
> On Wed, May 21, 2008 at 10:15 PM, Tom Haddon <tom at greenleaftech.net> wrote:
> > - How did they actually modify the content? Through a PHP exploit, or
> > shell access?
> 
> If your application was insecure, then sure, they could have perhaps
> done this without shell access.  However, since it is shared server,
> perhaps it was compormised by another local user who then changed
> every site on the server.  I would investigate the other sites being
> served from your shared host, or ask the hosting company if they heard
> of any other complaints about similar sites being hosted from that
> server.  Also, check your logs and SQL transaction history.  Maybe you
> can find some abnormal queries floating around in there and trace it
> back to the vulnerable PHP code, if that was the entry point...

I have looked at other sites, and they seem to be okay from what I can
see. And like I say, according to "last", there doesn't seem to have
been anyone else logging in during the timeframe of when this became a
problem (May 5th).

Do you have any ideas about how I can find these mystery files? As I
say, they don't show up with an ls, an ls -a, in any recursive greps for
strings I know they contain, etc. I know they're still on the server
because if I go to a URL from one of the links that was on the page
before I removed it, the page works and gives a 200 OK in the apache
log. Just can't find where on the filesystem the damn html file is...

Cheers, Tom






More information about the sf-lug mailing list