LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-26-2007, 09:44 PM   #1
max_tcs
LQ Newbie
 
Registered: Aug 2003
Posts: 27

Rep: Reputation: 15
Server Hacked ???


Help ..

I have a CentOS4 box with Plesk 8.0 & webmin 1.250, just found that the Box was hacked after i updated Plesk from 8.0 to 8.2 ... not sure is it related or not.

There are more than hundred of domains on this server, someone appended a part of javascripts at the end of every index.php & index.html for all domain ...
All files last modified time almost at the same period with few seconds different...

The logs files shown ftp connection open at the same period for domain effected.


Is that anything else i can do ?
 
Old 07-27-2007, 12:13 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Is that anything else i can do ?
You can check the Apache/Plesk logs to see if you can find how it was specifically exploited. When checking Apache logs, look for URLs with embedded shell commands. Other than that a format/reinstall is recommended unless you have some way of checking file alteration (like tripwire).
 
Old 07-27-2007, 01:59 AM   #3
max_tcs
LQ Newbie
 
Registered: Aug 2003
Posts: 27

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Capt_Caveman
You can check the Apache/Plesk logs to see if you can find how it was specifically exploited. When checking Apache logs, look for URLs with embedded shell commands. Other than that a format/reinstall is recommended unless you have some way of checking file alteration (like tripwire).
all logs file checked.
the log files seems no weird url at the file modified time period
security log didn't shown ssh logged at that period...
just shown ftp login at that period for all domains, all almost at the same time but just few seconds different for all domains (more than hundred domains).

I'm wondering, is that a "bypass" way for ftp login ???
 
Old 07-28-2007, 03:56 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
What FTP daemon version? What do the system logs say? Any (setuid root) binaries or other "weird" files in public temp dirs? Does verifying with the package manager show things out of the ordinary? If nothing please follow this checklist to make sure you covered it all: Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Server has been hacked, help please Seventh Linux - Security 11 09-26-2006 11:57 AM
Why is my server getting hacked so much? dsschanze Linux - Security 17 07-27-2006 01:16 PM
Is my server hacked? kazjol Linux - Security 3 10-10-2004 12:09 PM
Server hacked php4u Linux - Security 1 07-05-2004 11:34 AM
server hacked!?!?! vittibaby Linux - Security 1 03-27-2004 12:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration