On Sun, Nov 10, 2013 at 9:36 PM, Rizwan Raza <rizwan.raza@xxxxxxxxx> wrote:
> There is a bunch of php scripts on the server. Not sure how to inspect and
> find out the hijacked piece. I would appreciate any suggestion(s)
>
You could start by seeing if any of the files have been changed
recently (OS-specific; are you running Linux?) or something has been
uploaded (if it is still there). Shell exploits would be in the later
group. Can people update files to your server? I myself have written
one of those, and it would tell me stuff like user I am running as,
OS/apache/php version, kernel (if linux), and so on. And that was
before I went about exploring.
I think OWASP has some kind of test for weaknesses; at least they have
docs on best practices.
I would also think the apache log files would show something like a
given ip sending commands out to the server (trying to find a
weakness).
Look on the bright side: at least apache is not being run as root.
>
> On Sun, Nov 10, 2013 at 6:55 PM, Nick Kew <nick@xxxxxxxxxxxx> wrote:
>>
>>
>> On 11 Nov 2013, at 00:15, Rizwan Raza wrote:
>>
>> > Notice the last two listings. What does that mean? Is my Apache instance
>> > hacked?
>>
>> Maybe.
>>
>> The most likely origin of a shell from apache is from a script.
>> That could be a vulnerable script that's got hijacked, or a script
>> that intentionally runs a shell. Processes hanging around
>> could mean a script that didn't run&exit cleanly (and should
>> be fixed).
>>
>> Take a long hard look at your scripts, and look for any clues
>> in your error log.
>>
>> --
>> Nick Kew
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|