On Sun, Nov 10, 2013 at 9:36 PM, Rizwan Raza <rizwan.raza@xxxxxxxxx> wrote: > There is a bunch of php scripts on the server. Not sure how to inspect and > find out the hijacked piece. I would appreciate any suggestion(s) > You could start by seeing if any of the files have been changed recently (OS-specific; are you running Linux?) or something has been uploaded (if it is still there). Shell exploits would be in the later group. Can people update files to your server? I myself have written one of those, and it would tell me stuff like user I am running as, OS/apache/php version, kernel (if linux), and so on. And that was before I went about exploring. I think OWASP has some kind of test for weaknesses; at least they have docs on best practices. I would also think the apache log files would show something like a given ip sending commands out to the server (trying to find a weakness). Look on the bright side: at least apache is not being run as root. > > On Sun, Nov 10, 2013 at 6:55 PM, Nick Kew <nick@xxxxxxxxxxxx> wrote: >> >> >> On 11 Nov 2013, at 00:15, Rizwan Raza wrote: >> >> > Notice the last two listings. What does that mean? Is my Apache instance >> > hacked? >> >> Maybe. >> >> The most likely origin of a shell from apache is from a script. >> That could be a vulnerable script that's got hijacked, or a script >> that intentionally runs a shell. Processes hanging around >> could mean a script that didn't run&exit cleanly (and should >> be fixed). >> >> Take a long hard look at your scripts, and look for any clues >> in your error log. >> >> -- >> Nick Kew >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx