[sf-lug] Hacked RHEL4/PHP4 server
asheesh at asheesh.org
Thu May 22 09:12:51 PDT 2008
On Thu, 22 May 2008, Tom Haddon wrote:
> On Thu, 2008-05-22 at 07:56 -0700, Kristian Erik Hermansen wrote:
>> Do all of the injected html links start with a common prefix for the
>> file? For instance "5-", like your example ?
> They all match the pattern [0-9]-(.*)phentermine(.*).html. I'm beginning
> to think the server must have been compromised after all. I am able to
> create file of the same name as one of these with a test page and see
> that it's served in place of the spam page. If I delete the page with
> rm, the spam page shows up again. If I try to delete it again, it says
> no such file.
Are you sure there's no mod_rewrite action going on? e.g.
RewriteLogLevel - try doing that and going to one of the evil URLs (after
disabling the redirect as you discussed).
Also, what if you just "grep -ri <string_in_one_of_those_html_files> /" ?
What about "zgrep -ri <string_in_one_of_those_evil_html_files> /"? To
find the string, load the page up in a browser and look for something
Can you make a copy of the disk image on a different server? And have you
tried asking RPM (which could, I know, have had its database pwned also)
to verify the stuff on the machine:
Doing these would take a lot of time, but they'd be background jobs, so
it's only compute time. Obviously I don't think you should spend your
whole life cleaning up after script kiddies when it's not your job to.
> I've put in place an apache redirect for the matching file types so that
> if anyone is going to those URLs, they'll be redirected to the main
> At this point, I'd have to advise the non-profit per Rick's comments to
> pretty much start from scratch with this server and/or have verio clean
> up the mess...
Out of curiosity, which virtualization technology?
Perhaps further discussion on the list could lead us to find a setup more
resilient against their attackers but not too onerous for them.
So little time, so little to do.
-- Oscar Levant
More information about the sf-lug