[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Server Hacked

I am almost certain that the system was compromised due to b2evolution (phpBB, too, if it uses xmlrpc). Many PHP applications are vulnerable due to issues within XML RPC, specifically http://<host>/xmlrpc.php .. There are readily available exploits available that will give the attacker a command line via this vector. With that said - if you configured Apache to run as a restricted user (ie: nobody), then the attacker would have only modified pages in which the restricted account had access to write.

There are mass autorooter worms traveling around that perform this automatically: successfully exploit, change all index.* pages, drop an IRC/DDos Daemon into a hidden (or not so hidden directory. hint: check /tmp for weird binaries and other files).

Run a find command to look for all modified files within the last N hours.

for all files owned by nobody and modified within the lat 24 hours ( N x 24)
find / -user nobody -mtime -1 -print

run this perl script to exploit yourself:

Other reading:


Matt Thorne wrote:

Personally I think that you would find alot of mostly related information at


under tools they have some programs that allow you to interrogate hacked comps.
The thing that might be most interesting is to look in the
"whitepapers" section and see how they respond to their hacked
computers. I realize that this isn't a how-to or a step by step, but I
am pretty certain that the information will be useful to you.

Good luck


Anyway, this is getting even more off-topic.

I'm still sort of surprised that this group of what I thought was fairly
skilled developers hasn't provided one link or suggestion on how best to
1) identify the vulnerability exploited on a hacked server or 2)
identify the likely perpetrator of a defacement. Searching around I find
lots about how to prevent hacks in the first place but very little
that's helpful in dealing with it once it's happened.