LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-09-2010, 05:28 AM   #1
painterj
LQ Newbie
 
Registered: Apr 2010
Posts: 10

Rep: Reputation: 0
Site definitely hacked. Can't delete files to restore backup.


Please have a look at me previous thread to get more details on my problem: http://www.linuxquestions.org/questi...mitted-800340/

I've discovered that after restoring my site's backup this has happened to me again. If someone could just help me to delete the hacked /home/crocbits directory so that I can restore the backup under the same username.

When I try to delete /home/crocbits I get this message when logged in as root:

Quote:
root@main [/home]# rm -f -R -d crocbits
rm: cannot remove `crocbits/public_html/makepoll.php': Operation not permitted
rm: cannot remove `crocbits/public_html/report.php': Operation not permitted
rm: cannot remove `crocbits/public_html/userhistory.php': Operation not permitted
rm: cannot remove `crocbits/public_html/showreport.php': Operation not permitted

root@main [/home]#
 
Old 04-09-2010, 06:51 AM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

Could you post the output from the following:
# ls -l crocbits/public_html/makepoll.php
# ls -ld crocbits/public_html
# lsattr crocbits/public_html/makepoll.php
# lsattr -d crocbits/public_html/

Dave
 
Old 04-09-2010, 07:23 AM   #3
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 79
Quote:
Originally Posted by ilikejam View Post
Hi.

Could you post the output from the following:
# ls -l crocbits/public_html/makepoll.php
# ls -ld crocbits/public_html
# lsattr crocbits/public_html/makepoll.php
# lsattr -d crocbits/public_html/

Dave
I just read your other post and would also think about the attributes.
 
Old 04-09-2010, 09:05 AM   #4
painterj
LQ Newbie
 
Registered: Apr 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by ilikejam View Post
Hi.

Could you post the output from the following:
# ls -l crocbits/public_html/makepoll.php
# ls -ld crocbits/public_html
# lsattr crocbits/public_html/makepoll.php
# lsattr -d crocbits/public_html/

Dave
Hi Dave,

Here you go:

Quote:
root@main [/]# ls -l /home/crocbits/public_html/makepoll.php
-rw-r--r-- 1 504 501 8465 Mar 13 08:56 /home/crocbits/public_html/makepoll.php
root@main [/]#
Quote:
root@main [/]# ls -ld /home/crocbits/public_html
d--------- 13 504 nobody 4096 Mar 30 12:08 /home/crocbits/public_html/
root@main [/]#
Quote:
root@main [/]# lsattr /home/crocbits/public_html/makepoll.php
------------- /home/crocbits/public_html/makepoll.php
root@main [/]#
Quote:
root@main [/]# lsattr -d /home/crocbits/public_html/
-----a------- /home/crocbits/public_html/
root@main [/]#
Thanks for your help so far. Appreciate it.

Jean
 
Old 04-09-2010, 09:38 AM   #5
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi again.

There's the beastie. You've got 'append only' set on the directory, so you can't remove files. Do:
# chattr -a /home/crocbits/public_html/
as root and you should be good to go.

Dave
 
Old 04-09-2010, 11:04 AM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,785
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Can I ask why you think you've been cracked? At this point you've presented no evidence in either thread. However, if you have some evidence that you have been cracked, then merely replacing the problematic directory is not going to help you much. You need to investigate the source of the problem.
 
Old 04-09-2010, 04:34 PM   #7
painterj
LQ Newbie
 
Registered: Apr 2010
Posts: 10

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Hangdog42 View Post
Can I ask why you think you've been cracked? At this point you've presented no evidence in either thread. However, if you have some evidence that you have been cracked, then merely replacing the problematic directory is not going to help you much. You need to investigate the source of the problem.
Well, this has now happened 2 times in a row at random times and I also have had a fake DMCA notice brought to my attention which turned out to be the competition trying to get my host to remove my site. The guy that submitted the DMCA claim didn't own the copyright. I realise there must be some kind of hole in the php app somewhere. I'm using a commercial script that has been tested so I assumed it to be quite secure. What still tickles me is that when the 'crack' happens my cPanel account goes into a suspended state as well.
 
Old 04-09-2010, 06:21 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
As you've found out the hard way deleting the directory and restoring from backup gets you exactly nowhere. You need to find out what happened. For that you best start by verifying your OS installation, your web stack configuration (meaning of any Internet-facing or supporting services), and your system and daemon log files.
 
Old 04-09-2010, 10:25 PM   #9
fbsduser
Member
 
Registered: Oct 2009
Distribution: Hackintosh, SlackWare
Posts: 266

Rep: Reputation: 30
And run rkhunter and chkrootkit, there could be a rootkit there.
 
Old 04-10-2010, 07:38 AM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,785
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
I realise there must be some kind of hole in the php app somewhere.
If that is true, then there should be records in your log files. As unSpawn suggested, you need to start doing your homework on the machine. A good place to start developing evidence is the CERT checklist.

Quote:
I'm using a commercial script that has been tested so I assumed it to be quite secure.
When it comes to PHP, that is a really dangerous assumption to make. Any information you can supply along the lines of what unSpawn asked for is going to be necessary for any real help to happen here.

Quote:
Well, this has now happened 2 times in a row at random times and I also have had a fake DMCA notice brought to my attention which turned out to be the competition trying to get my host to remove my site. The guy that submitted the DMCA claim didn't own the copyright.
While certainly enough to generate a touch of suspicion, this really doesn't constitute evidence of a crack. The only way to solve this is by developing facts about the machine in question.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I cannot delete the old backup files f10-next Linux - Newbie 11 06-18-2009 08:25 AM
[SOLVED] How to get notification when a user delete files from ftp site harikrishnan81 Solaris / OpenSolaris 2 02-28-2009 03:59 AM
backup and restore files (not image) sjewins Linux - General 1 09-25-2008 01:53 PM
Restore backup files nawuza Linux - Newbie 10 07-25-2008 05:51 AM
What folders+files to backup for near bare metal restore c_mitulescu Linux - Server 2 04-11-2007 11:40 AM


All times are GMT -5. The time now is 09:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration