Index files hacked
We have linux web server with more than 1000 websites. Hackers are hacking the index files of this server using perl script which is uploaded /tmp directory .
php -m is giving the below output
the ionCube PHP Loader
The php module list doesnt help much.
Did you already identify, how the attack was done?
Are you 100% sure, that your server is compromised?
Because then the only logic solution is to shut it down,
rebuild another machine, sanitize the data, transfer the data and start the sites on the new machine.
steps to do:
* confirm that your server has been compromised
* inform your customers that you're going to shut down the service as long as this issue is not resolved as you really care for the safety of customers data
* restrict the access to this server to a limited number of IPs (only your engineers should access the server)
* identify the damage done
* then determine what steps need to be taken to clean customers data
* then set up a new server from scratch
* take all steps needed to secure the server and prevent that this incident can happen anymore
* finally import the customers data, nicely cleaned up and checked that it doesn't contain any malicious stuff
if in this process you find out that it was one of your customers fault blame him in public and send him a huge bill :-D .. *joking*