Site definitely hacked. Can't delete files to restore backup.
 

Please have a look at me previous thread to get more details on my problem: http://www.linuxquestions.org/questi...mitted-800340/

I've discovered that after restoring my site's backup this has happened to me again. If someone could just help me to delete the hacked /home/crocbits directory so that I can restore the backup under the same username.

When I try to delete /home/crocbits I get this message when logged in as root:

Hi.

Could you post the output from the following:
# ls -l crocbits/public_html/makepoll.php
# ls -ld crocbits/public_html
# lsattr crocbits/public_html/makepoll.php
# lsattr -d crocbits/public_html/

Dave

I just read your other post and would also think about the attributes.

Hi Dave,

Here you go:

Thanks for your help so far. Appreciate it.

Jean

Hi again.

There's the beastie. You've got 'append only' set on the directory, so you can't remove files. Do:
# chattr -a /home/crocbits/public_html/
as root and you should be good to go.

Dave

Can I ask why you think you've been cracked? At this point you've presented no evidence in either thread. However, if you have some evidence that you have been cracked, then merely replacing the problematic directory is not going to help you much. You need to investigate the source of the problem.

Well, this has now happened 2 times in a row at random times and I also have had a fake DMCA notice brought to my attention which turned out to be the competition trying to get my host to remove my site. The guy that submitted the DMCA claim didn't own the copyright. I realise there must be some kind of hole in the php app somewhere. I'm using a commercial script that has been tested so I assumed it to be quite secure. What still tickles me is that when the 'crack' happens my cPanel account goes into a suspended state as well.

As you've found out the hard way deleting the directory and restoring from backup gets you exactly nowhere. You need to find out what happened. For that you best start by verifying your OS installation, your web stack configuration (meaning of any Internet-facing or supporting services), and your system and daemon log files.

And run rkhunter and chkrootkit, there could be a rootkit there.

If that is true, then there should be records in your log files. As unSpawn suggested, you need to start doing your homework on the machine. A good place to start developing evidence is the CERT checklist.

When it comes to PHP, that is a really dangerous assumption to make. Any information you can supply along the lines of what unSpawn asked for is going to be necessary for any real help to happen here.

While certainly enough to generate a touch of suspicion, this really doesn't constitute evidence of a crack. The only way to solve this is by developing facts about the machine in question.