[sf-lug] Hacked RHEL4/PHP4 server

Kristian Erik Hermansen kristian.hermansen at gmail.com
Wed May 21 22:39:24 PDT 2008

On Wed, May 21, 2008 at 10:32 PM, Tom Haddon <tom at greenleaftech.net> wrote:
> I have looked at other sites, and they seem to be okay from what I can
> see. And like I say, according to "last", there doesn't seem to have
> been anyone else logging in during the timeframe of when this became a
> problem (May 5th).

You said this was a VPS right?  I mean perhaps someone hopped
virtualization :-)  It is not likely, but still a possibility.  In
that case, you would not see an entry for the abuser from the last
command, correct?

> Do you have any ideas about how I can find these mystery files? As I
> say, they don't show up with an ls, an ls -a, in any recursive greps for
> strings I know they contain, etc. I know they're still on the server
> because if I go to a URL from one of the links that was on the page
> before I removed it, the page works and gives a 200 OK in the apache
> log. Just can't find where on the filesystem the damn html file is...

If what you say is true, an without having the exact links and access
to the file system to verify, then it smells like a rootkit.  It may
be hiding the files from your user, but allowing apache to return the
data to website visitors.  Run chkrootkit or something similar.  Of
course, rootkit writers test their creations against such utilities,
so you can never be sure you don't have a rootkit :-)
Kristian Erik Hermansen
"When you share your joys you double them; when you share your sorrows
you halve them."

More information about the sf-lug mailing list