[nycphp-talk] Issues with server getting hacked
Tim Lieberman
tim_lists at o2group.com
Fri Sep 11 15:09:17 EDT 2009
I'd have a look at the owner and timestamps on the naughty files. Are
they owned by the web server user? If so, check server logs in the
period leading up to the file modification times.
If they're owned by some other user, make sure that user account is
secure.
I've seen plenty of instances where someone thinks "it must be an
insecure script", but it turned out that some user on the box had a
bone-headed, easily brute-forced password.
-Tim
On Sep 11, 2009, at 2:37 PM, Randal Rust wrote:
> We have suddenly started having issues with one of our servers with a
> local hosting company. We have never had any issues at all for the 6-7
> years we've used their servers (we have a total of 5-6). Anyway, this
> one server went down last week, and tech support said:
>
> "Your VPS has been either hacked or an insecure script has been used
> to upload stuff. We have tar'ed up the data was being used
> (/tmp/b.tar.gz) You need to have your developer take a look at your
> sites code to determine any vulnerabilities"
>
> To which I responded, "ok, assume that we believe all of our scripts
> are secure. in looking at the logs, how do i pinpoint that someone
> is/was trying to upload something?"
>
> Tech support was less than helpful after that. So I pose the question
> to the list. How do I pinpoint the issue? There are about five domains
> running on the site, and we did not have any issues until we upgraded
> a ZenCart install for one of the sites.
>
> --
> Randal Rust
> R.Squared Communications
> www.r2communications.com
> 614-370-0036
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
More information about the talk
mailing list