So.. it was some form of injection attack on the guestbook php which gained some kind of write permissions?

Is that as far as compromisation got before you restored the server? Are you sure admin wasnt taken? You changed the password after restore?

Are you certain the restore is not itself a compromised backup with previous intrusions? Spotting one attack in progress does not always mean that was all that was done or for how long.

For now I would look for a better guestbook or remove that feature.

And look to hardening the box as suggested earlier. I do not think your problem is solved yet until everything mentioned earlier is covered. Good luck.

You probably have insecure software here. It's no use just removing that module. Is the developer aware of this compromise (r57 injection). You should also know that if they got access through r57 then they may have installed other software - have you checked and found anything? Has the developer released an updated package that will prevent this form of injection?
Do yourself a favour and investigate & implement mod-security ( http://www.modsecurity.org )asap if you are running php apps. Trust me I learnt the hard way a year or so ago when someone attacked a faulty php app with r57.

You might want to remove or update the app. It's a well-known vuln: http://www.securityfocus.com/bid/22858/exploit. Any app. with a hole that big likely has others yet to be found.

Same style of attack, right down to the use of r57shell:

Consider Mod Security.

Hi guys,

sorry, didn't have time to reply earlier.
Yes all passwords changed. Mod security installed (still need a bit of config but it will come).
The restored backup comes from another server that is 'clean'...(local server).
File comparision done and yes there where other uploaded files!
Honestly I played with this shell to see what it was capable of...nice job ;-).
So now, I take a bit of my time to configure modsecurity and to optimize it.

Thanks a lot for all you replies!!!

macadam

You need to install mod_security on your server. This adds a layer of protection to GET/POST requests on Apache.

Ummm - I don't think I could tell you what EVERY file on my UNIX or Linux system is either. I might tell you whether it is a binary, device, script, text (that is to say TYPE of file) but to actually know the purpose of all the binaries, config files and libraries one gets by default seems a bit much.

Not to say M$ isn't a joke of an OS but expecting people to know what every one of 16,000 to 20,000 files do seems a bit much. Even IT security auditors just check for setuid etc... rather than trying to determine if every file has meaning.

Even if one knew what the files "usually" were there is no guarantee they haven't been modified in some way.

More on this later - first I have to investigate my Solaris "Door" files further...

Good stuff, if you need some help with Mod security 1x rulesets let me know.

Hi RampRage,

thank you for your proposal. I will come to you if needed ;-)
For the moment, I manage quite well the rules (I have version 2).
I am impressed by this tool...very efficient.
And it even comes with a good 'standard rules' package.

Regards,

christophe

Here is nice whitepaper about remote file inclusions and other vulns concerning linux.
http://www.beyondsecurity.com/whitep...on_VBFeb07.pdf

Future doesn't look nice ..