[sf-lug] Hacked RHEL4/PHP4 server

Tyler Trafford ttrafford at gmail.com
Thu May 22 07:20:28 PDT 2008

Tom Haddon wrote:

> I have looked at other sites, and they seem to be okay from what I can
> see. And like I say, according to "last", there doesn't seem to have
> been anyone else logging in during the timeframe of when this became a
> problem (May 5th).
> Do you have any ideas about how I can find these mystery files? As I
> say, they don't show up with an ls, an ls -a, in any recursive greps for
> strings I know they contain, etc. I know they're still on the server
> because if I go to a URL from one of the links that was on the page
> before I removed it, the page works and gives a 200 OK in the apache
> log. Just can't find where on the filesystem the damn html file is...

It's conceivable that the server itself (httpd, I mean) has been 
patched/replaced...  Did you trying grepping for those strings on the 
binaries on the system?
Tyler Trafford

A sect or party is an elegant incognito devised to save a man from
the vexation of thinking.
		-- Ralph Waldo Emerson, Journals, 1831

More information about the sf-lug mailing list