[sf-lug] Hacked RHEL4/PHP4 server
ttrafford at gmail.com
Thu May 22 07:20:28 PDT 2008
Tom Haddon wrote:
> I have looked at other sites, and they seem to be okay from what I can
> see. And like I say, according to "last", there doesn't seem to have
> been anyone else logging in during the timeframe of when this became a
> problem (May 5th).
> Do you have any ideas about how I can find these mystery files? As I
> say, they don't show up with an ls, an ls -a, in any recursive greps for
> strings I know they contain, etc. I know they're still on the server
> because if I go to a URL from one of the links that was on the page
> before I removed it, the page works and gives a 200 OK in the apache
> log. Just can't find where on the filesystem the damn html file is...
It's conceivable that the server itself (httpd, I mean) has been
patched/replaced... Did you trying grepping for those strings on the
binaries on the system?
A sect or party is an elegant incognito devised to save a man from
the vexation of thinking.
-- Ralph Waldo Emerson, Journals, 1831
More information about the sf-lug