On Wed, Aug 22, 2012 at 2:54 PM, Mark Walkom <markwal...@gmail.com> wrote: > On 22 August 2012 12:00, David Lyon <david.lyon.preissh...@gmail.com> wrote: > >> I have a customer with a hacked website. >> >> When I ftp'd to their web-server I found this wart (listed below - saved as >> brut.php): >> >> How did the hacker put it on my system ? What could it have comprimised ? >> What >> can I do to stop further consequences? >> >> > Reset any management/admin passwords to be safe. Make sure everything > running on the server is up to date - OS, DB, Apache etc. > > Get rid of FTP, use SCP and fail2ban.
Reinstall the machine from bare metal. Verify the BIOS against the vendors version (not 100% fullproof) and discard the filesystem entirely (take a backup first). You don't know what has been altered, its not impossible they got root, and its not impossible that they put a preboot attack in place too. -Rob -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html