Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, We have linux web server with more than 1000 websites. Hackers are hacking the index files of this server using perl script which is uploaded /tmp directory . php ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2006
    Posts
    3

    Question Index files hacked


    Hi,
    We have linux web server with more than 1000 websites. Hackers are hacking the index files of this server using perl script which is uploaded /tmp directory .
    php -m is giving the below output

    [PHP Modules]
    bz2
    calendar
    ctype
    curl
    date
    dbase
    dom
    exif
    filter
    ftp
    gd
    gettext
    gmp
    hash
    iconv
    imap
    ionCube Loader
    json
    ldap
    libxml
    mbstring
    mcrypt
    mysql
    mysqli
    openssl
    pcntl
    pcre
    PDO
    pdo_mysql
    pdo_sqlite
    readline
    Reflection
    session
    shmop
    SimpleXML
    sockets
    SPL
    standard
    tokenizer
    wddx
    xml
    xmlreader
    xmlwriter
    xsl
    zip
    zlib

    [Zend Modules]
    the ionCube PHP Loader

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,410
    The php module list doesnt help much.

    Did you already identify, how the attack was done?
    Are you 100% sure, that your server is compromised?
    Because then the only logic solution is to shut it down,
    rebuild another machine, sanitize the data, transfer the data and start the sites on the new machine.
    You must always face the curtain with a bow.

  3. #3
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    steps to do:
    * confirm that your server has been compromised
    * inform your customers that you're going to shut down the service as long as this issue is not resolved as you really care for the safety of customers data
    * restrict the access to this server to a limited number of IPs (only your engineers should access the server)
    * identify the damage done
    * then determine what steps need to be taken to clean customers data
    * then set up a new server from scratch
    * take all steps needed to secure the server and prevent that this incident can happen anymore
    * finally import the customers data, nicely cleaned up and checked that it doesn't contain any malicious stuff

    if in this process you find out that it was one of your customers fault blame him in public and send him a huge bill .. *joking*

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •