Site definitely hacked. Can't delete files to restore backup.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've discovered that after restoring my site's backup this has happened to me again. If someone could just help me to delete the hacked /home/crocbits directory so that I can restore the backup under the same username.
When I try to delete /home/crocbits I get this message when logged in as root:
Quote:
root@main [/home]# rm -f -R -d crocbits
rm: cannot remove `crocbits/public_html/makepoll.php': Operation not permitted
rm: cannot remove `crocbits/public_html/report.php': Operation not permitted
rm: cannot remove `crocbits/public_html/userhistory.php': Operation not permitted
rm: cannot remove `crocbits/public_html/showreport.php': Operation not permitted
Could you post the output from the following:
# ls -l crocbits/public_html/makepoll.php
# ls -ld crocbits/public_html
# lsattr crocbits/public_html/makepoll.php
# lsattr -d crocbits/public_html/
Could you post the output from the following:
# ls -l crocbits/public_html/makepoll.php
# ls -ld crocbits/public_html
# lsattr crocbits/public_html/makepoll.php
# lsattr -d crocbits/public_html/
Dave
I just read your other post and would also think about the attributes.
Could you post the output from the following:
# ls -l crocbits/public_html/makepoll.php
# ls -ld crocbits/public_html
# lsattr crocbits/public_html/makepoll.php
# lsattr -d crocbits/public_html/
Dave
Hi Dave,
Here you go:
Quote:
root@main [/]# ls -l /home/crocbits/public_html/makepoll.php
-rw-r--r-- 1 504 501 8465 Mar 13 08:56 /home/crocbits/public_html/makepoll.php
root@main [/]#
Quote:
root@main [/]# ls -ld /home/crocbits/public_html
d--------- 13 504 nobody 4096 Mar 30 12:08 /home/crocbits/public_html/
root@main [/]#
There's the beastie. You've got 'append only' set on the directory, so you can't remove files. Do:
# chattr -a /home/crocbits/public_html/
as root and you should be good to go.
Can I ask why you think you've been cracked? At this point you've presented no evidence in either thread. However, if you have some evidence that you have been cracked, then merely replacing the problematic directory is not going to help you much. You need to investigate the source of the problem.
Can I ask why you think you've been cracked? At this point you've presented no evidence in either thread. However, if you have some evidence that you have been cracked, then merely replacing the problematic directory is not going to help you much. You need to investigate the source of the problem.
Well, this has now happened 2 times in a row at random times and I also have had a fake DMCA notice brought to my attention which turned out to be the competition trying to get my host to remove my site. The guy that submitted the DMCA claim didn't own the copyright. I realise there must be some kind of hole in the php app somewhere. I'm using a commercial script that has been tested so I assumed it to be quite secure. What still tickles me is that when the 'crack' happens my cPanel account goes into a suspended state as well.
As you've found out the hard way deleting the directory and restoring from backup gets you exactly nowhere. You need to find out what happened. For that you best start by verifying your OS installation, your web stack configuration (meaning of any Internet-facing or supporting services), and your system and daemon log files.
I realise there must be some kind of hole in the php app somewhere.
If that is true, then there should be records in your log files. As unSpawn suggested, you need to start doing your homework on the machine. A good place to start developing evidence is the CERT checklist.
Quote:
I'm using a commercial script that has been tested so I assumed it to be quite secure.
When it comes to PHP, that is a really dangerous assumption to make. Any information you can supply along the lines of what unSpawn asked for is going to be necessary for any real help to happen here.
Quote:
Well, this has now happened 2 times in a row at random times and I also have had a fake DMCA notice brought to my attention which turned out to be the competition trying to get my host to remove my site. The guy that submitted the DMCA claim didn't own the copyright.
While certainly enough to generate a touch of suspicion, this really doesn't constitute evidence of a crack. The only way to solve this is by developing facts about the machine in question.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.