View Single Post
Old 21st February 2007, 14:34
martinfst martinfst is offline
Senior Member
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst

You need to find out how the pisher got access to your server. ssh? broken php application (and abused the apache user)? Any other ports open (like webmin ports)

Still any open port as a backdoor open to the pisher? I got hacked once because of a faulty PHP app, and the hacker installed some backdoor listening on an obscure port.

Start looking at /var/log and scan all log files. Try to identify something unusual.
Then execute
ps -ef
to see if any strange program is running. And you might consider installing 'chkrootkit' and run a test. Also do
netstat -tap
and see if something strange on an unusual port is listening. HTH
Reply With Quote