Eben Goodman wrote:
I actually know which user it got through on, it came in through an insecure php nuke application. I have since removed the nuke app, but the damage appears to be done, since this eggdrop crap is still running on the server. Is there a way to find, and remove the software once it has found it's way on?I would advise a reinstall. It usually works out to be the quickest and surest way of recovering from a hack.
If you're _certain_ that they never had root, I guess you could find and remove the files using pstree, netstat, fuser, and ls -a. (pstree -up to find out what's spawning the rogue process, netstat and fuser to find out what ports are open and what opened them, ls -a to find hidden .files and .directories)
From my experience the bot scripts will be in a hidden .directory somewhere apache can write to (usually /tmp or /dev/shm) and started by the apache user's crontab.
If you have any reason to suspect that the attacker ever had root access reinstall the OS. They'll likely have installed all kinds of backdoors, trojaned logins, kernel modules, and who knows what else. It's just not practical to track down and remove all that stuff and you can never really be sure you found everything.
-- Disclaimer: Any disclaimer attached to this message may be ignored. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|