I'd have a look at the owner and timestamps on the naughty files. Are
they owned by the web server user? If so, check server logs in the
period leading up to the file modification times.
If they're owned by some other user, make sure that user account is
secure.
I've seen plenty of instances where someone thinks "it must be an
insecure script", but it turned out that some user on the box had a
bone-headed, easily brute-forced password.
-Tim
On Sep 11, 2009, at 2:37 PM, Randal Rust wrote:
We have suddenly started having issues with one of our servers with a
local hosting company. We have never had any issues at all for the 6-7
years we've used their servers (we have a total of 5-6). Anyway, this
one server went down last week, and tech support said:
"Your VPS has been either hacked or an insecure script has been used
to upload stuff. We have tar'ed up the data was being used
(/tmp/b.tar.gz) You need to have your developer take a look at your
sites code to determine any vulnerabilities"
To which I responded, "ok, assume that we believe all of our scripts
are secure. in looking at the logs, how do i pinpoint that someone
is/was trying to upload something?"
Tech support was less than helpful after that. So I pose the question
to the list. How do I pinpoint the issue? There are about five domains
running on the site, and we did not have any issues until we upgraded
a ZenCart install for one of the sites.
--
Randal Rust
R.Squared Communications
www.r2communications.com
614-370-0036
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
