On Sun, Nov 10, 2013 at 9:36 PM, Rizwan Raza <rizwan.raza@xxxxxxxxx> wrote:There is a bunch of php scripts on the server. Not sure how to inspect and
find out the hijacked piece. I would appreciate any suggestion(s)
You could start by seeing if any of the files have been changed
recently (OS-specific; are you running Linux?) or something has been
uploaded (if it is still there). Shell exploits would be in the later
group. Can people update files to your server? I myself have written
one of those, and it would tell me stuff like user I am running as,
OS/apache/php version, kernel (if linux), and so on. And that was
before I went about exploring.
I think OWASP has some kind of test for weaknesses; at least they have
docs on best practices.
I would also think the apache log files would show something like a
given ip sending commands out to the server (trying to find a
weakness).
Look on the bright side: at least apache is not being run as root.On Sun, Nov 10, 2013 at 6:55 PM, Nick Kew <nick@xxxxxxxxxxxx> wrote:On 11 Nov 2013, at 00:15, Rizwan Raza wrote:Notice the last two listings. What does that mean? Is my Apache instance
hacked?
Maybe.
The most likely origin of a shell from apache is from a script.
That could be a vulnerable script that's got hijacked, or a script
that intentionally runs a shell. Processes hanging around
could mean a script that didn't run&exit cleanly (and should
be fixed).
Take a long hard look at your scripts, and look for any clues
in your error log.
--
Nick Kew
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|