Quote:
Originally Posted by Cky47
Yeah... I wonder how he got in though.
 Thats going to bug me.
At least it seems he just randomly picks websites to exploit, so hopefully no one else will experience this.
I would like to meet the guy though... Heck I would hire him lol
|
He likely got in through an insecure script, such as a gallery addon/plugin - there was a nasty exploit in CMG not too long ago - Do you use that?
Likely, if he got in once, he setup shop - and he can get back in unless you figure out how he did it.
You can look for any irregularities with the following string of commands;
Code:
cd /usr/local/apache/domlogs;tail -n 5000 * | grep 'ptrace'
find /home/ -name "*.php" -exec grep 'passthru(' {} \; -print
find /home/ -name "*.php" -exec grep -i 'phpshell' {} \; -print
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit*
make sense
./chkrootkit
If you find anything interesting feel free to post back - damned hackers...
Hope this helps some.