[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Server Hacked
I am almost certain that the system was compromised due to b2evolution
(phpBB, too, if it uses xmlrpc). Many PHP applications are vulnerable
due to issues within XML RPC, specifically http://<host>/xmlrpc.php ..
There are readily available exploits available that will give the
attacker a command line via this vector. With that said - if you
configured Apache to run as a restricted user (ie: nobody), then the
attacker would have only modified pages in which the restricted account
had access to write.
There are mass autorooter worms traveling around that perform this
automatically: successfully exploit, change all index.* pages, drop an
IRC/DDos Daemon into a hidden (or not so hidden directory. hint: check
/tmp for weird binaries and other files).
Run a find command to look for all modified files within the last N hours.
for all files owned by nobody and modified within the lat 24 hours ( N x 24)
find / -user nobody -mtime -1 -print
run this perl script to exploit yourself:
Matt Thorne wrote:
Personally I think that you would find alot of mostly related information at
under tools they have some programs that allow you to interrogate hacked comps.
The thing that might be most interesting is to look in the
"whitepapers" section and see how they respond to their hacked
computers. I realize that this isn't a how-to or a step by step, but I
am pretty certain that the information will be useful to you.
Anyway, this is getting even more off-topic.
I'm still sort of surprised that this group of what I thought was fairly
skilled developers hasn't provided one link or suggestion on how best to
1) identify the vulnerability exploited on a hacked server or 2)
identify the likely perpetrator of a defacement. Searching around I find
lots about how to prevent hacks in the first place but very little
that's helpful in dealing with it once it's happened.