Hi, Please keep in mind that I'm not a security expert. Something about this says that they did not get root access to the machine. Are you absolutely sure that "root-only" files we're changed? Reasons for my thinking are:The rogue processes are running under the Apache user (why not root?) You can still log in. (usually root-exploits change the root password first thing, sadly speaking from my own experience)
The rogue processes are located in /tmp which is world-writeable.If access was gained through Apache, and it was indeed running as an un-priviledged user, then they would need a second exploit to raise their access level to root. By default a security breach in apache should only compromise anything that Apache can touch.
On the other hand:If you're logged in and the 'who' command shows absolutely nobody, then it is obviously at fault. If non-writeable files we're modified then an Apache / php exploit alone couldn't have done it. If system logs we're deleted that is almost certainly an indicator of a root-exploit.
If you conclude that root-access was indeed gained, then the machine must be considered lost. Do not try to repair it, as you can never be sure you removed all traces of the attacker. If you assume that it was only a apache / php exploit then repair is possible but a reinstall might be safer.
Good luck! Dennisp.s. if you have an off-site backup or remote logging try comparing data to see what has changed.
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|