Good. Might come in handy to check back things.


It may be a local password but it may be something else. Did this occur on the old or the new server? Did you scan the full contents of his account?


Can you tell me exactly what measures you took to enhance security of the machine since this thread?


I have not seen any questions in the other thread.

Hello unSpawn.

Well I did performed find /home/user -print0 | xargs -0 file | tee /tmp/user.file and I checked for non coincidences
How can I realize if an html file contains such dirty links?
What about any other scripts like perl ones that contain spammers execution?
You know that I live in a country where many people use unregistered software, Windows, antiAlls. So, it is not strange that 'web designers' may catch some malware to get their private data.
Anyway I have to rule out any other possibility.
All user's passwords have been changed.
I checked some implementation of verification data within forms, query strings and php mysql handling.
You asked my about Java and php image verification. The Java one is a third-party I don't know how it checks jpgs integrity, but after that I use some ImageMagick tools in case they cannot be performed then the uploaded file would be removed.
Do you have a harmless file simulating an image one for debugging (in my old server!)?
I use phpBB3 and MyBB forum apps. They are up-to date.
I am also reading about samhain. Not yet installed, I have to check new server and compare several settings among the servers.
I only have a few days to release the old server.

As for the backup system, I use a cron rsync to backup from remote to a local computer. Then I use a cron lftp to copy all backup to a LAN HD (10 days rotation).
I believe rsync does not support incremental backups.
I've read about Amanda or something like that to perform backups. (I've just seen here a google advertisement about Zmanda!)
What do you suggest?
Thank you

Running "find|xargs file" shows you what type a file is. If you want to search for say a javascript string you could run a recursive grep on the directory. If you provide PHP then you should not only check .html(l) files but also includes. Running 'file' should show if a script on the filesystem is a Perl script. Else catching them running could be done by logging and watching user processes or collateral like a surge in returned mailer daemon errors.


I think that on your new server you should take care to configure and harden it well before allowing users onto it. Hardening afterwards is not futile but less secure. If you have questions about and would like help with hardening please search this forums threads and check out the LQ FAQ: Security references (or the newer cleaned up version at http://rkhunter.wiki.sourceforge.net/SECREF).


No, but you could easily 'cat somePHPfile.php >> image.jpg'.


A complete backup of the old server and proper hardening of the new server should be your two most important tasks. The backup makes sure you can research things (configuration, user files, system logs) and hardening makes certain you keep this from happening again. It will also help if you have another physical or virtual machine on which to mimick your production setup. That way you can reconfigure, test, compile or install things before moving to production.


What you could do is create a cronjob that makes a full backup tarball of your rsync destination on one day, then run tar --listed-incremental for n days afterwards between "full" runs. Storing the full backups off-site and in a safe (place) ensures you always have a copy to fall back on, creates a history of changes and incrementals make it easy to restore fast.