On Wed, Aug 22, 2012 at 2:54 PM, Mark Walkom markwal...@gmail.com wrote:
On 22 August 2012 12:00, David Lyon david.lyon.preissh...@gmail.com wrote:
I have a customer with a hacked website.
When I ftp'd to their web-server I found this wart (listed below - saved as
brut.php):
How did the hacker put it on my system ? What could it have comprimised ?
What
can I do to stop further consequences?
Reset any management/admin passwords to be safe. Make sure everything
running on the server is up to date - OS, DB, Apache etc.
Get rid of FTP, use SCP and fail2ban.
Reinstall the machine from bare metal. Verify the BIOS against the
vendors version (not 100% fullproof) and discard the filesystem
entirely (take a backup first).
You don't know what has been altered, its not impossible they got
root, and its not impossible that they put a preboot attack in place
too.
-Rob
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html