Re: site compromised and httpd log analysis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Your log doesn't start early enough. Someone uploaded a web shell (or found an existing web shell) to your server, possibly using an upload for that doesn't validate the input, then used that shell to run commands on your server.
I would consider your entire server to be compromised at this point since you have no record of what else the attacker could have done once they had a shell.

Make sure that you do not allow users to upload files and then execute those files.

- Y

On Tue, Jul 5, 2022 at 9:53 PM KK CHN <kkchn.in@xxxxxxxxx> wrote:
https://pastebin.com/YspPiWif

One of the websites hosted  by a customer on our Cloud infrastructure was compromised, and the attackers were able to replace the home page with their banner html page.

The log files output I have pasted above.

The site compromised was PHP 7 with MySQL.

From the above log, can someone point out what exactly happened and how they are able to deface the home page.

How to prevent these attacks ? What is the root cause of this vulnerability  and how the attackers got access ?

Any other logs or command line outputs required to trace back kindly let me know what other details  I have to produce ?

Kindly shed your expertise in dealing with these kind of attacks and trace the root cause and prevention measures to block this.

Regards,
Krish


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux