Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Most often it's purpose is spreading spam or malware.
Quote:
Originally Posted by yakotey
How can i know how the attack occured?
You're likely using a vulnerable version of PHP-based software package. It was not updated when it should have been. Start by finding out whatever version shopping cart, forum, content management system, any plugins or other PHP-based software package you run. Check your system and web server logs for anomalies. Check the vendors site for updates. Some list cleanup procedures in their documentation section like http://codex.wordpress.org/FAQ_My_site_was_hacked or http://docs.moodle.org/23/en/Securit...hat_do_I_do.3F. Let us know if you can't find any for your product and version.
In my experience, the most common cause, on a shared-hosting computer system ... is another system user, and a lazy hosting company. I have encountered sites where every file was owned by a ftpusers group and was writable to that group! Therefore, if you merely had a login account, you could diddle with anyone else's files.
Once you install the files on the system, use chmod -r to make them read-only. (Slightly different permissions may be needed for directories.) In order to subsequently change the files yourself, you will need to reassign those permissions.
If you are using "convenient" system management software such as Plesk, then I'm afraid that you will need to learn enough about system management to enable yourself to discard packages like that. (And please note that the preceding sentence is a statement of matter-of-fact, i.e. nothing whatsoever personal and no offense intended.) Convenience has its price and it is an unacceptable price.
Last edited by sundialsvcs; 08-04-2012 at 01:33 PM.
Mostly the apache logfiles are important. If you have all requests you might see some strange requests in the log.
However like other repliers said, it can be bad file permissions, incorrectly configured software, ...
What application is actually running on the webserver?
Can you see from which time this file has been modified?
This will seriously help in finding the attack method through the log files.
Are you the owner of the host/account?
Is it a shared hosting arrangement?
Did you change YOUR password in whatever *Panel you may have (cPanel perhaps?).
What kind of CMS got hacked, name of the package please. 3rd party plugins, I'll bet.
Please supply answers to these important questions and Change your account/ftp password if you have cPanel.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.