Hi, My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Regards, maverh
From: Manu Verhaegen <maverh at telenet.be>> My server is under attack allows the attacker to abuse of a php script of a > vhost. How can I find what is the script.Could you be more specific...? Anything in the log files? JD
Anything from the accesslogs? 2009/12/24 Manu Verhaegen <maverh at telenet.be>> Hi, > > My server is under attack allows the attacker to abuse of a php script of a > vhost. How can I find what is the script. > > Regards, > maverh > > > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091224/9314e156/attachment.html>
On Thu, 2009-12-24 at 11:31 +0000, Manu Verhaegen wrote:> Hi, > > My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. > > Regards, > maverhHi Maverh, I know this may sound like a silly question but how do you know your server is under attack ? As others have advised, have you checked your logs on the server ? What are you running that's being attacked ? /var/log/httpd /var/log/messages Regards, Pete.
Hi, We have plesk running, i have running logwatch and i have found a IP adress. I have add it in the IP table to block it then the attack is solved. We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database. I have use the following command grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log grep 'ipadres' /var/log/httpd/access.log it do not find any record. Regards, Manu Verhaegen -----Oorspronkelijk bericht----- Van: centos-bounces at centos.org [mailto:centos-bounces at centos.org] Namens Pete Verzonden: donderdag 24 december 2009 12:45 Aan: CentOS mailing list Onderwerp: Re: [CentOS] attack On Thu, 2009-12-24 at 11:31 +0000, Manu Verhaegen wrote:> Hi, > > My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. > > Regards, > maverhHi Maverh, I know this may sound like a silly question but how do you know your server is under attack ? As others have advised, have you checked your logs on the server ? What are you running that's being attacked ? /var/log/httpd /var/log/messages Regards, Pete. _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
at the moment everiting is solved i have block the IP adress but i d'ont have found the script>----- Oorspronkelijk bericht ----- >Van: david at pnyet.web.id [mailto:david at pnyet.web.id]>Verzonden: donderdag , december 24, 2009 01:07 PM>Aan: 'CentOS mailing list'>Onderwerp: Re: [CentOS] attack> >Triying find to what are users running on spacific command, you should using top or ps or netstat please read the manual how to use it. After all and you get some info unpluge your server from internet, see what log says. > >------Original Message------ >From: Manu Verhaegen >Sender: centos-bounces at centos.org >To: centos at centos.org >ReplyTo: CentOS mailing list >Subject: [CentOS] attack >Sent: Dec 24, 2009 6:31 PM > >Hi, > >My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. > >Regards, > maverh > > > > > > >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos > > >Warm regards, >David >--------------------- >./nobody >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos > >
Triying find to what are users running on spacific command, you should using top or ps or netstat please read the manual how to use it. After all and you get some info unpluge your server from internet, see what log says. ------Original Message------ From: Manu Verhaegen Sender: centos-bounces at centos.org To: centos at centos.org ReplyTo: CentOS mailing list Subject: [CentOS] attack Sent: Dec 24, 2009 6:31 PM Hi, My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script. Regards, maverh _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos Warm regards, David --------------------- ./nobody
Hello On 12/24/2009 12:01 PM, Manu Verhaegen wrote:> We have plesk running, i have running logwatch and i have found a IP adress. > I have add it in the IP table to block it then the attack is solved. > We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database.you also have a broken email client, what are the chances that you could: a) find an email client that preserves thread sanity b) refrain from topposting unless absolutely necessary -- Karanbir Singh London, UK | http://www.karan.org/ | twitter.com/kbsingh ICQ: 2522219 | Yahoo IM: z00dax | Gtalk: z00dax GnuPG Key : http://www.karan.org/publickey.asc
Hi, i have Check my tmp directory and subdirectorys for std, udp.pl no file exist. Also i have check /etc/passwd and /etc/shadow for unusual users. regards -----Oorspronkelijk bericht----- Van: centos-bounces at centos.org [mailto:centos-bounces at centos.org] Namens Thomas Dukes Verzonden: donderdag 24 december 2009 13:08 Aan: 'CentOS mailing list' Onderwerp: Re: [CentOS] attack> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of Manu Verhaegen > Sent: Thursday, December 24, 2009 7:04 AM > To: CentOS mailing list > Subject: Re: [CentOS] attack > > at the moment everiting is solved i have block the IP adress > but i d'ont have found the script >So you are the attacker. Happened to me a couple weeks ago. Check your tmp directory and subdirectory for std, udp.pl. Also check /etc/passwd and /etc/shadow for unusual users. Should be at the very bottom of those files. _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> Hi, > > i have Check my tmp directory and subdirectorys for std, > udp.pl no file exist. Also i have check /etc/passwd and > /etc/shadow for unusual users. > > regardsManu, forgive me if i missed it when i deleted several of the posts in the thread yet how hard is it to check all the pertinent logfiles? unless this is a very sophisticated compromise that hides, moves, or deletes things, or the management system is trash, the info you need is "typically" in one or more of the various logfiles on the system something as simple man less less /var/log/httpd/access_log less /var/log/httpd/error_log replace appropriate logfile names as necessary... in general, there are many you can look at to gain some wisdom... - rh
Obviously, if you are running several vhosts and plesk you likely have other logs to check. Also, one can usually see the origin of the mail injection in the maillog (e.g. complaints about setting to an unsafe sender) or in the outgoing messages. At runtime you can see the connects with full URLs on the apache status page. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Hi, i ame checking this thanks, Manu -----Oorspronkelijk bericht----- Van: centos-bounces at centos.org [mailto:centos-bounces at centos.org] Namens Kai Schaetzl Verzonden: donderdag 24 december 2009 15:32 Aan: centos at centos.org Onderwerp: Re: [CentOS] attack Obviously, if you are running several vhosts and plesk you likely have other logs to check. Also, one can usually see the origin of the mail injection in the maillog (e.g. complaints about setting to an unsafe sender) or in the outgoing messages. At runtime you can see the connects with full URLs on the apache status page. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos