Thanks Rachel, The information you have provided is very helpful.
I will look into the things you have mentioned in detail. It's a good start. On Tue, Jun 2, 2015 at 3:31 PM, gr0ve <[email protected]> wrote: > You should be able to look in the mysql transaction log and line up any > corresponding entries to timestamps and > Also in the web/system log files as a very general response. Without more > detail, it is still hard to say whether your problem is local or if someone > is breaking the door down, but there will be a correlation > between the events. > > > > rachel > > -- > rachel polanskis > IT Consulting, UNIX & Macintosh > Greater Western Sydney > <[email protected]> > > On 2 Jun 2015, at 15:20, David Lyon <[email protected]> > wrote: > > > If you think a malicious actor is deleting files, check also your > > database links for insertion attacks or other indications of > > attempted tampering. > > We are seeing MySQL table corruption as well in a 'Session' table. > > > > > On Tue, Jun 2, 2015 at 3:01 PM, gr0ve <[email protected]> wrote: > >> Hi David, >> Are you sure the .php files are being removed by a malicious actor? Are >> there log entries or other traces that indicate an exposure to an exploit? >> To remove files from a system would leave traces of >> activity, even remotely and subsequent tampering to cover it up is >> usually clumsily executed and easily identified. >> It would depend also on your specific php version but you could install >> suhosin to log any out of band activity. If you think a malicious actor is >> deleting files, check also your database links for insertion attacks or >> other indications of attempted tampering. I suspect an in house error such >> as a bad day for someone, or a rogue cron job, perhaps, or if you are >> exposed to the ext4 corruption bug on Linux, look there. >> Without more information, I always assume a more local problem first, as >> opposed to intrusion etc. >> >> -- >> rachel polanskis >> IT Consulting, UNIX & Macintosh >> Greater Western Sydney >> <[email protected]> >> >> > On 2 Jun 2015, at 13:57, David Lyon <[email protected]> >> wrote: >> > >> > Hello all, >> > >> > One place I do work for is having trouble with Hacker activity. >> > >> > Let's face it, there are hacker's out there trying to take down systems. >> > >> > The specific issue I'm seeing is .php files vanishing from the web >> server. >> > >> > This is annoying and I'm wondering if any others are seeing anything >> like >> > this. >> > >> > I'm also wondering what specific steps can be taken to minimise hacking >> > problems. >> > >> > We don't have a big budget, a counter-hacking team or anything like >> that. >> > >> > To me it looks like the ISP may have been hacked in a similar way as >> > GoDaddy was hacked in the US. >> > >> > Regards >> > >> > David >> > -- >> > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ >> > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html >> > > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
