Where the grrrrr hackers hide a mambo script
Following the recent break in mentioned above, we went through the server with a fine tooth comb, reducing all file permissions to the minimum and hardening our firewall and other defences.
We then went ascanning, using the clamscan utility in ispconfig, with its output piped into a txt file.
63 infected files turned up, most of them dumb phishing scripts in mail boxes attached to viagra offers and the like, but there was some solid gold: in a mambo site that had been running all files and dirs on 777 perms, we found a file "modules/mod_clogin" and a file za.zip, and a folder za
"eradicate", "eradicate", "eradicate", said the dalek scanner and we did. We then, having had a squizz at the perl based scripts involved, went hunting up and down our tmp folders, and bingo! We got a file called bg, another called bcg and a file called back, in various spots.
The nasty that did it all was a thing called c99shell, out of Romania, and it basically set itself up as "apache" and then went to town, allowing in every spammer mf in the business.
So it's been got, and the upside is, we now have a bullet proof server. Hope the above helps.
"Those who would give up an essential liberty to purchase a little temporary safety deserve neither liberty nor safety".
Benjamin Franklin 1759