On Wed, Oct 12, 2011 at 6:04 AM, Bilal Itani <bi...@itx.com.lb> wrote:
> ** > My apache webserver is redirecting URLs to a random directory, ex if I > enter in the browser : www.mydomain.com it is redirected internally > without the URL being changed on the browser to www.mydomain.com/SokMT/, > each time a new random directory. > > Could be this a hack? I started facing this on October 10th and I am > running CentOs 5.4 with apache 2.2.3 > Probably. If you keep FTP/SSH logs, you can check what changed around that time if that is how the attacker got in. If it was a bug in an application you ave on the server, it will probably show up in some other log (maybe a strange request in apache's access.log, or the PAM auth log.) Otherwise, you should look at .htaccess in the htdocs folder (or wherever your virtual host DocumentRoot is). It is also possible that it is in the server/vhost config and has been for a long time, but apache (or the server) restarted on October 10th and reread the configuration. You should also check that it is not your DNS that was hacked. Use nslookup to make sure that you domain is actually pointing to your server's IP address.
