Server Hacked ???

max_tcs · 07-26-2007, 09:44 PM

Help ..

I have a CentOS4 box with Plesk 8.0 & webmin 1.250, just found that the Box was hacked after i updated Plesk from 8.0 to 8.2 ... not sure is it related or not.

There are more than hundred of domains on this server, someone appended a part of javascripts at the end of every index.php & index.html for all domain ...
All files last modified time almost at the same period with few seconds different...

The logs files shown ftp connection open at the same period for domain effected.

Is that anything else i can do ?

Capt_Caveman · 07-27-2007, 12:13 AM

Quote:

Is that anything else i can do ?

You can check the Apache/Plesk logs to see if you can find how it was specifically exploited. When checking Apache logs, look for URLs with embedded shell commands. Other than that a format/reinstall is recommended unless you have some way of checking file alteration (like tripwire).

max_tcs · 07-27-2007, 01:59 AM

Quote:

Originally Posted by Capt_Caveman

You can check the Apache/Plesk logs to see if you can find how it was specifically exploited. When checking Apache logs, look for URLs with embedded shell commands. Other than that a format/reinstall is recommended unless you have some way of checking file alteration (like tripwire).

all logs file checked.
the log files seems no weird url at the file modified time period
security log didn't shown ssh logged at that period...
just shown ftp login at that period for all domains, all almost at the same time but just few seconds different for all domains (more than hundred domains).

I'm wondering, is that a "bypass" way for ftp login ???

unSpawn · 07-28-2007, 03:56 AM

What FTP daemon version? What do the system logs say? Any (setuid root) binaries or other "weird" files in public temp dirs? Does verifying with the package manager show things out of the ordinary? If nothing please follow this checklist to make sure you covered it all: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.