It was thus said that the Great Tom Ray [Lists] once stated:
> I'm running a SuSE 9.1 server with Apache 2.0.58 and as of last Thursday
> I'm seeing a ton of files created in spots they should be. All created
> by wwwrun (the webserver). I'm finding PHP scripts that are blatantly
> commented with hacker code, _vti_ directories in sites and this server
> doesn't have FP running on it. Cron jobs owned by wwwrun created and I
> can see my maching connected to a strange IP on port 22 which is telling
> me that my machine has opened a ssh connection with their server.
>
> I'm seeing files that execute PHP Shell 1.7 which allows them to execute
> commands via a form.
>
> Has anyone ever run into this kind of problem? I've never really been
> hacked like this before and I keep thinking I have it cleaned up but it
> doesn't appear that way. One script had this in it: Powered By
> #KARTUBEBEN CrEW @ DALnet
>
> I know this maybe be a bit OT but any thoughts or suggestions would be
> greatly helpful and appreciated.
Unless you know what you are doing or what to look for, the best advice is
to nuke and pave (reformat the harddrives, reinstall the operating system,
reload the websites).
In any case, you'll want to disable PHP and all logins until you have
audited all the sites, PHP scripts and users of the box. Make sure all
passwords are changed. Only then would I re-enable PHP.
Also, check the startup scripts and shut down any service you don't need!
Not only do they suck up memory (and/or swap space) but if they offer any
network services, that's just another way to be hacked. If you are unsure
of what a startup script does, use Google.
-spc (But really, if the accounts were compromised, there isn't much
you can do ... )
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
