Hi all,

A php application in my server got phishing attack.I found many new files inside that application folder.

I dont know how this hack had been happened.We dont have ftp access for that application.

Can any one please explain me how the hacker would have uploaded these files in to my application.

And how to get rid of this.At present i have stopped my application.

Your suggestions please.

I don't think anybody can explain it without more infomation.

Hi,

What are the information i need to provide.I am ready to share.

In this forum members post about problems that may or may not be security issues. These members are often new to Linux and may need more than the average amount of guidance. I ask you to reply not "just because you can" but only if you really want to help. Troubleshooting will be more efficient if you have (and will provide) a rudimentary understanding of Linux security and can anticipate the OPs questions.


Where is the server located (home, work, colocation)? Is it shared or a VPS? Is it yours (root access)?
What is the name of the application?
If it's not homebrewn software, which version exactly?
Was it installed correctly? (No setup files left, proper access permissions)
Was it publicly accessible? (HTTPS vs HTTP, .htaccess or other access restrictions)


Which files? (Post list from running '/bin/ls --time-style=long-iso --quoting-style=c -altr /path/to/files;' as root.)
Do any of the web servers logs reference files found or show odd entries (often multiple lines) involving (output of) GET, curl, wget or other wget-like applications?
Do any of the web servers logs show other anomalies around the times the files were placed?


If you can not confirm downloading is due to one specific application it would be best to stop the web server for the duration of the investigation.
Please confirm no other problems have arisen before, during and after file placement. If unsure which steps to follow please use this checklist:
Intruder Detection Checklist (CERT): http://web.archive.org/web/200801092...checklist.html
Please post back the results if any.

* Please stay with the thread (subscribe?) until completion and reply as soon as possible when replies are posted.

2 members found this post helpful.