View Single Post
Old 09-20-2009, 06:53 AM  
boneless
Confirmed User
 
boneless's Avatar
 
Industry Role:
Join Date: Dec 2002
Location: in your head
Posts: 3,625
to clean the hack:

originally posted by Gozak aka Spudstr of yellowfiber:

Realisticly the best way to kill this script once you've found it.


BACK UP EVERYTHING YOU HAVE, if your hosts does backups, back it up anyway on your own.
Kill apache. shut it down and don't turn it on.

grep -R eval * > /some/folder/to/store/data/to/reasech

let it run let it finish. make sure that /tmp is locked down and even run linux auditd and set a rule to watch rwxa on /tmp.

after it finsihes dig through the text file and find the php files exploited. once you go through the php file thats a back door put the path in a text file call it "foo"

cat foo | awk '{print "rm -f " $1}' | csh

this will mass delete all the infected files.

re-fun the grep -R eval * script again to a new file. now find the files infected with the <script> i.e the javascript. edit each file by hand or delete your archives and rebuild them with clean templates.

once you clean everything re-run grep again. this time hopefully you wont get any trace of the code.. anywhere.

lastly make sure all ct folders are gone gone gone gone.

turn apache back on.

you can have hosts set auditctl's on index files that get infected, make sure they use the wa flags and not war or warx we don't care if its read or executed we just care if its written to or appended. then watch logs later to see what folder a script is being called from so you can go and identify the exploits. Might be useful for future hacks/exploits that could possibly infect your machine.

lastly. If you really want to be isolated and prevent problems like this in the future do the following.

1. 1 ftp per site
2. run apache in suexec mode
3. run php in suphp
4. stop using 777, if you run in any suexec mode/suphp above you wont need 777 anyway.
5. set audits on your index files
6. noexec on /tmp folder and set audit to watch _everything_ that goes on in there.

I don't care if you host with us or not but you should give the above to your host to help them fix your exploited code or you can do it yourself if you manage the machine yourself.
__________________
icq:148573096 skype:dabone2 email:boneless(a)mgpteam(.)com
boneless is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote