HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=15)
-   -   Default apache pages modified???? (http://www.howtoforge.com/forums/showthread.php?t=42918)

kerubino 23rd January 2010 17:33

Default apache pages modified????
 
Hi,

I would like to ask you what to do if you think that your ISP config and your system has been hacked.

Which is the first steps to do?

Our sites has been hacked in this way:

At some time (i could not reach yet precisely) all defualt pages of apache are automatically modified.

For instance: index.php, index.html...

Default pages are modified adding an iframe that redirects you to a suspicious antivirus, antimalware or stats webpage.

Is surprising because all default pages are modified with the same TIMESTAMP.

I had checked all my crons, but i didn't see any suspicious... maybe is a bug of ISP config, i don't know.

We have 2.2.32 of ISP config on a Debian 5 64bit machine.

I thank you for you help in advance.

till 23rd January 2010 18:05

Install rkhunter:

http://www.rootkit.nl/projects/rootkit_hunter.html

and run:

rkhunter -c

Quote:

I had checked all my crons, but i didn't see any suspicious... maybe is a bug of ISP config, i don't know.
Possible of course but not that likely as there are no known bugs. Check your logs if someone loggs in with ftp or ssh. Do the sites where the pages get modified have anything in common e.g. the same cms installed in the site. Have you updated your phpmyadmin, there was a bug some months ago which was used to infect servers. Also do you had all updates of your linux distro installed?

kerubino 23rd January 2010 20:19

Thank you.

i also was looking the ftp logs... i see that someone is logging to ftp that is not me!!!


i also searched with rkhunter... but nothing found.

It seems that someone could reach my ftp password... i'll change all passwords.

falko 24th January 2010 03:13

Quote:

Originally Posted by kerubino (Post 217264)
i also was looking the ftp logs... i see that someone is logging to ftp that is not me!!!

Can you post an excerpt of your FTP log?


All times are GMT +2. The time now is 02:06.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.