Quote:
Originally Posted by eeekster
I don't think anybody can explain it without more infomation.
|
In this forum members post about problems that may or may not be security issues. These members are often new to Linux and may need more than the average amount of guidance. I ask you to reply not "just because you can" but only
if you really want to help. Troubleshooting will be more efficient if you have (and will provide) a rudimentary understanding of Linux security and can anticipate the OPs questions.
Quote:
Originally Posted by dinakumar12
A php application in my server got phishing attack.
|
Where is the server located (home, work, colocation)? Is it shared or a VPS? Is it yours (root access)?
What is the name of the application?
If it's not homebrewn software, which version exactly?
Was it installed correctly? (No setup files left, proper access permissions)
Was it publicly accessible? (HTTPS vs HTTP, .htaccess or other access restrictions)
Quote:
Originally Posted by dinakumar12
I found many new files inside that application folder.
|
Which files? (Post list from running '/bin/ls --time-style=long-iso --quoting-style=c -altr /path/to/files;' as root.)
Do any of the web servers logs reference files found or show odd entries (often multiple lines) involving (output of) GET, curl, wget or other wget-like applications?
Do any of the web servers logs show other anomalies around the times the files were placed?
Quote:
Originally Posted by dinakumar12
how to get rid of this. At present i have stopped my application.
|
If you can not confirm downloading is due to one specific application it would be best to stop the web server for the duration of the investigation.
Please confirm no other problems have arisen before, during and after file placement. If unsure which steps to follow please use this checklist:
Intruder Detection Checklist (CERT):
http://web.archive.org/web/200801092...checklist.html
Please post back the results if any.
* Please stay with the thread (subscribe?) until completion and reply as soon as possible when replies are posted.