Re: Signs of Apache Web Server been hacked

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think you can also check access log with grep if any call to bash script.

Thanks
Vishesh Kumar
http://linuxmantra.com/


On Mon, Nov 11, 2013 at 9:50 AM, Mauricio Tavares <raubvogel@xxxxxxxxx> wrote:
On Sun, Nov 10, 2013 at 9:36 PM, Rizwan Raza <rizwan.raza@xxxxxxxxx> wrote:
> There is a bunch of php scripts on the server. Not sure how to inspect and
> find out the hijacked piece. I would appreciate any suggestion(s)
>
      You could start by seeing if any of the files have been changed
recently (OS-specific; are you running Linux?) or something has been
uploaded (if it is still there). Shell exploits would be in the later
group. Can people update files to your server? I myself have written
one of those, and it would tell me stuff like user I am running as,
OS/apache/php version, kernel (if linux), and so on. And that was
before I went about exploring.

I think OWASP has some kind of test for weaknesses; at least they have
docs on best practices.

I would also think the apache log files would show something like a
given ip sending commands out to the server (trying to find a
weakness).

Look on the bright side: at least apache is not being run as root.
>
> On Sun, Nov 10, 2013 at 6:55 PM, Nick Kew <nick@xxxxxxxxxxxx> wrote:
>>
>>
>> On 11 Nov 2013, at 00:15, Rizwan Raza wrote:
>>
>> > Notice the last two listings. What does that mean? Is my Apache instance
>> > hacked?
>>
>> Maybe.
>>
>> The most likely origin of a shell from apache is from a script.
>> That could be a vulnerable script that's got hijacked, or a script
>> that intentionally runs a shell.  Processes hanging around
>> could mean a script that didn't run&exit cleanly (and should
>> be fixed).
>>
>> Take a long hard look at your scripts, and look for any clues
>> in your error log.
>>
>> --
>> Nick Kew
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
http://linuxmantra.com

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux