[users@httpd] I believe I've been compromised.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm running a SuSE 9.1 server with Apache 2.0.58 and as of last Thursday I'm seeing a ton of files created in spots they should be. All created by wwwrun (the webserver). I'm finding PHP scripts that are blatantly commented with hacker code, _vti_ directories in sites and this server doesn't have FP running on it. Cron jobs owned by wwwrun created and I can see my maching connected to a strange IP on port 22 which is telling me that my machine has opened a ssh connection with their server.
I'm seeing files that execute PHP Shell 1.7 which allows them to execute commands via a form.
Has anyone ever run into this kind of problem? I've never really been hacked like this before and I keep thinking I have it cleaned up but it doesn't appear that way. One script had this in it: Powered By #KARTUBEBEN CrEW @ DALnet
I know this maybe be a bit OT but any thoughts or suggestions would be greatly helpful and appreciated. 

Thanks!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux