my server was hacked(i think), i have php server installed on my RedHat Linux 7.2, one day, I found the website is down, because the php file can find the libraries it needs, so I checked the php.ini and found that it was accessed on Dec/4/2003, not by me, I think someone else changed it, I then changed it back and now the server is up again. But, I found some functions are changed for this website, so I wonder whether there is a way to find out who accessed the php.ini(username, the machine IP address that he/she logs on, access time and other activities he/she has done). I need to know these information to correct my website and improve security, I'm not familiar with the security stuff on linux, Could you guys give me some help. Thanks so........much! Need your help ergent!


best wishes
coolsphinx

Well first, if you have physical access to the box, remove the network cable and keep it unplugged until you determine what happened. There's no sense in letting the (possible) cracker back in to do more damage (if the box really was compromised).

You can run "last" and see who has been logged in. Also check in /var/log/secure, assuming it wasn't tampered with (/var/log/wtmp may have been tampered with as well, so "last" won't necessarily tell you anything). In fact, check everything in /var/log for anomalies. Anything there may have been modified to cover up tracks, but on the other hand the attacker may have missed something or might not have been able to escalate privilages (perhaps they were just running amok as "www" or "nobody").

Check each home directory for a .history or .bash_history and see if they contain anything interesting.

Install and run chkrootkit and see if it detects anything. Check the size, date, and permissions of system binaries (ls, ps, top, netstat, w, who, etc) against known good copies, such as from the original install media (CD-ROM?).

Review this thread for other ideas of how to diagnose and deal with system break-ins.

By the way, when all is said and done please consider updating your OS version to something a little more current. If you want to stick with Red Hat, you should consider installing Fedora Linux, since Red Hat will no longer be providing security updates. Whatever you pick, make sure your OS of choice includes regular security updates that you have access to and most importantly, check regularly for such updates and install them! It's quite possible that you were compromised by one of several Apache and/or PHP vulnerabilities.

thank you for your kind advices

Coolsphinx, could you tell us if you found out stuff?

In fact, i checked all the log files and use the methods the above message advices me, I can't find who did this, because I think there are some logs lost, maybe deleted by the invader. but still thanks that person and your forum very much!

best

By the way, you know you can view compressed log files, right? There's very likely a log rotate script on your box that compresses old log files to save space. You can use gzcat and less to view them, such as
$ gzcat /var/log/secure.0.gz | less

I just want to make a small comment on this statement..

It's _not_ always smart to unplug the computer from the network, either by stopping it command-based or by pulling the network-cable. If you are actually hacked, it doesn't really make a difference with a couple more minutes online, because... In many cases there is a (hidden) script running, which deletes everything on the computer if the network is stopped in any way.. The script is quite simple, and when the network is disabled, it starts a delete-process.. This is because most hackers (both good and bad) know that atleast 99% of sysadmins will respond to the attack by pulling the plug..

Just to warn everybody...!

There are plenty of ways to "booby-trap" a system that aren't limited to testing if the networking is active (ie checking logs, executing chkrootkit, etc). So you risk shooting yourself in the foot doing alot of things. However, I don't think keeping your network active is necessarily the best solution either. Not only will it give whoever cracked your box a continued point of entry, but if your box is being used to attack a third party then while you diddle around looking at logs, you could be providing an avenue for others to get cracked/dDOSed as well.

I think the best advice is once you detect something strange, poweroff and disconnect your box. Then reboot with a cd-based distro and mount the suspect system read-only to do a thorough check.

I totally agree with you on that! The best thing is to power off, maybe even by pulling the power-cord if that looks like the best solution.. If you do as you say, boot from a cd-distro (or something) and mount the partitions (preferably read-only so you don't destroy evidence), the scripts won't work or do any harm..

But my point was only to let people know that stopping the network isn't always a good idea, even though it might sound like the best solution...

Well it depends on the severity of the problem. If something merely "looks funny" then you probably don't want to unplug it. If, on the other hand, you're sending out hundreds of thousands of spam messages per hour and you can't locate the process doing it, I'd say much better to err on the side of mitigating active damage and just yank the cable. What's worse, not finding all the code from the exploit, or having a corporation or ISP come down on you for spamming? Quite likely your ISP would at least susped your account for an incident like that. Same thing if your machine was participating in a DDoS attack vs. some other site, people might want to hold you liable if you knew your machine was acting maliciously yet did nothing to stop it.