[sf-lug] Hacked RHEL4/PHP4 server

Tom Haddon tom at greenleaftech.net
Wed May 21 23:14:37 PDT 2008

On Wed, 2008-05-21 at 22:39 -0700, Kristian Erik Hermansen wrote:
> On Wed, May 21, 2008 at 10:32 PM, Tom Haddon <tom at greenleaftech.net> wrote:
> > I have looked at other sites, and they seem to be okay from what I can
> > see. And like I say, according to "last", there doesn't seem to have
> > been anyone else logging in during the timeframe of when this became a
> > problem (May 5th).
> You said this was a VPS right?  I mean perhaps someone hopped
> virtualization :-)  It is not likely, but still a possibility.  In
> that case, you would not see an entry for the abuser from the last
> command, correct?
> > Do you have any ideas about how I can find these mystery files? As I
> > say, they don't show up with an ls, an ls -a, in any recursive greps for
> > strings I know they contain, etc. I know they're still on the server
> > because if I go to a URL from one of the links that was on the page
> > before I removed it, the page works and gives a 200 OK in the apache
> > log. Just can't find where on the filesystem the damn html file is...
> If what you say is true, an without having the exact links and access
> to the file system to verify, then it smells like a rootkit.  It may
> be hiding the files from your user, but allowing apache to return the
> data to website visitors.  Run chkrootkit or something similar.  Of
> course, rootkit writers test their creations against such utilities,
> so you can never be sure you don't have a rootkit :-)

Hmm, somewhat inconclusive. Have tried both chkrootkit which gave an LKM
error which from searching online seems to be a false positive. Then
tried rkhunter, which didn't seem to find anything. But you're right,
the fact that the files aren't showing, but are being served by the web
server is suspicious. I'll have another look at it tomorrow and see what
I can find...

Thanks, Tom

More information about the sf-lug mailing list