#1  
Old 22nd April 2007, 20:25
shajazzi shajazzi is offline
Senior Member
 
Join Date: Dec 2005
Posts: 125
Thanks: 2
Thanked 2 Times in 2 Posts
Default hacked by By BeLa & BodyguarD

I am running suse 9.3 and ispconfig.
I run rkhunter regularly and never found any problems with root kits until today when all sites on my server had been hacked by By BeLa & BodyguarD
I then ran rkhunter and found nothing unusual.
Then i started to check all the files and folders in one of the sites and found that the index.php had been hacked. I replaced it with a backup and bingo i am back in business.
Is there anyway that i can find out how the hacker managed to penetrate my servers security?
By the way I googled By BeLa & BodyguarD and found that this hacker was mainly concentrating on hacking forums

shajazzi
Reply With Quote
Sponsored Links
  #2  
Old 23rd April 2007, 09:48
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,218 Times in 4,090 Posts
Default

By which linux users have the replaced files been owned?
The apache user? Do you run PHP as mode_php or SuPHP?
Do you use PHP safemode on and is your PHP up to date?
Are all the replaced index.php files from a specific Conetnt management sytsem like drupal, wordpress, typo3,... ?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 25th April 2007, 23:49
shajazzi shajazzi is offline
Senior Member
 
Join Date: Dec 2005
Posts: 125
Thanks: 2
Thanked 2 Times in 2 Posts
 
Default

The replaced files are owned by
User: wwwrun and group www,
PHP runs as mod_php
php save mode is off
rkhunter now shows php4 is not up to date
All site are running on mambo and joomla

I have notice quite a few issues since i did an apt-get upgrade on this server.
YAST ONLINE updater shows an update for php4 and updates successfully
but when i run rkhunter again it shows php4 is not upto date.
I have another server ready to run with suse 10.0, i know what you are going to say, why didn`t you install debian, the answer to this is that i could never get it to install properly on my 64bit systems and had similar problems with ubuntu. So it looks like i am stuck with suse for the time being , which i am happy with. I also have a copy of xandros linux, puppy linux and damm small linux among many others but cannot find any decent server setup suggestions around at the moment so i will leave them for later date

shajazzi
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft hacked? sjau Smalltalk 3 2nd November 2006 17:20
Postfix hacked cvine Server Operation 3 5th August 2006 08:13
Debian server hacked TheRudy Installation/Configuration 2 16th July 2006 09:35


All times are GMT +2. The time now is 08:48.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.