Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
One of our VPS's was compromised recently. The attacker uploaded a folder "/de" into the root of a clients site. Basically this was diverting visitors to a dodgy paypal link. I was able to remove all files associated with this attack (I think).
However, Paypal is still alerting us to problem and am getting the following in our access logs...
Can anyone help with where I should be looking if there is something still left on the server? There was one file "1.txt" that was in the vhosts/default folder which was also removed. I checked the remaining files and they seemed untouched.
Well the 301 in your log files would indicated that the GET is being redirected rather than returning a 200 success.
My guess is that you have a rule in .htaccess that redirects any "404" missing pages to the main site or something?
Unfortunately you're going to see these for a while, what you could do is re-create the /de folder and have .htaccess return "404" for any attempted access and hope whoever is trying to access that folder gives up when they get the error message rather than the redirect.
I'd also take a guess that "?YmFidXNoa2EucnVzc2xhbmRAaGFudXR6LmRl" is a password that tells the exploit to spill whatever it has gathered.
Other options include using "fail2ban" with a recipe to detect that particular access and "ban" the relevant IP for a period of time.
Well the 301 in your log files would indicated that the GET is being redirected rather than returning a 200 success.
My guess is that you have a rule in .htaccess that redirects any "404" missing pages to the main site or something?
Unfortunately you're going to see these for a while, what you could do is re-create the /de folder and have .htaccess return "404" for any attempted access and hope whoever is trying to access that folder gives up when they get the error message rather than the redirect.
I'd also take a guess that "?YmFidXNoa2EucnVzc2xhbmRAaGFudXR6LmRl" is a password that tells the exploit to spill whatever it has gathered.
Other options include using "fail2ban" with a recipe to detect that particular access and "ban" the relevant IP for a period of time.
Yes, so www/vhosts/default which contains the default Plesk domain files. the clients site being in www/vhosts/mydomain.com
You may never find the cause of Paypal's concern.
You should backup anything you consider important.
If vps505.lnx.vps.isx.net.nz was mine, I'd ask the provider to re-image it and start over, after acquiring the backup of the system.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.