homepage Welcome to WebmasterWorld Guest from 54.145.238.55
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
help - site was hacked :(
stuartc1

10+ Year Member



 
Msg#: 1729 posted 7:27 pm on May 12, 2006 (gmt 0)

Hi,

Today I found one of my sites hacked - someone managed to upload some file 'c99shell' to a directory - I have no idea how.

I managed to restored the hacked page - but I have many sites hosted on the server and I'm worried thay have planted more of these scripts.

I would be grateful if anyone can tell me how to do a search to find any files modified/created today - is there a command I can run (Im using Linux fedora)?

Would also be interested to find out how to prevent this from happening again.

Any help would be great.

 

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 1729 posted 7:51 pm on May 12, 2006 (gmt 0)

from everything I am looking at it seems to be a shell written in php

you may have more serious problems but I am sure you know that

[isc.sans.org...]

I would guess an upload script somewhere of being the exploited culprit

I am sure someone can offer a grep that would work to find files created today

rharri

10+ Year Member



 
Msg#: 1729 posted 9:14 pm on May 13, 2006 (gmt 0)

find / -mtime -1 should do the job. You could direct the results into a file with:
find / -mtime -l > files.txt

However, its unlikely that all of the changed files in an exploit will be found so easily. You face having find out how you were hacked (so it won't happen again), scrubbing your machine and re-installing. Hope you have clean backups of your data (if any).

Bob

StupidScript

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 1729 posted 8:27 pm on May 17, 2006 (gmt 0)

Ouch. Once the server has been hacked, every file on it becomes suspect. If they planted one file in your system, you can expect that there are many more and that your system files have been replaced with bad-guy files that contain stuff like hidden backdoors, keyloggers, detection scripts, etc.etc. Most likely your log files have been altered, as well.

The only sure way to recover from a hack as you describe is to wipe the machine and reinstall the OS, then reinstall your user files from a known-clean backup, from prior to the break-in.

Once you do the OS reinstall, be sure to (a) "harden" the system with a tool like Bastille or similar, (b) install a few IDS (Intrusion Detection System) programs to continually monitor your system for attack attempts and (c) instigate a full backup procedure that dumps the data to a secondary drive that is not normally accessible (i.e. mount it, do the backup, unmount it).

It's a pain, that's for sure.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved