Question : How has my server been compromised?

Hi,

My website has been penetrated. As far as I can tell only a PHP footer file has been edited, with a malicious iframe code added that attempts to install a virus via the browser. A similar attack occurred approximately 8 months ago. I'm not sure if it's the same attacker or whether the same method of entry was used (which has eluded me).

This was the security scenario in the latest attack:
- apache was running under its own user/group (not nobody)
- the edited footer file had permissions -rw-r--r-- and was not owned by apache or nobody

I don't believe the attacker has SSH access. I believe the security hole is in the web application layer. My website accepts file uploads and gives users the ability to install custom style sheets which are hosted on the server. However, I'm certain that I'm not executing any of these things as PHP code, and besides, it is impossible for apache/php to modify the footer file due to its ownership and permission. How could this file have been edited? How could the user elevate their privilege from the web user to the file owner (or higher)? Has my own client been compromised? I ran every rootkit program I could find - on my server and my client - and found nothing. I looked at my ssh logs, lastlog, .bash_history - couldn't see anything. I don't believe a password and/or pub key was stolen. I run ubuntu, but also run WinXP as a virtual machine - this is the only vulnerability I can think of on my client.

PHP 5.2.13
Apache/2.2.12
Linux 2.6.18-194.8.1.el5PAE (Centos)

Help!

Thanks

Answer : How has my server been compromised?

You may or may not be suffering from the exact same attack we've  recently gone through, but it does sound like it. After days of  restorals and changing passwords and it happening all over again - in  the end we found one person was infected directly on their pc with a  keystroke recording virus.

 Once the attacker was able to grab a root ftp user and pw, they were  able to infect and spread through out that full server and in some cases  use what they found to hit another server through that host.

 They were also trying to grab ftp software info and just randomly guess  at passwords to gain initial access they hadn't already gotten.

 It took almost 2 weeks to completely stop and restore all sites from the  problem. The infected user had to completely reinstall 3 of their  computer operating systems. Then we restored backups where we had them  and manually removed from other sites that didn't have a far enough  backup with the hack. Then changed every pw for every site to something  new and more difficult.

 Using Malware Bytes software seem to be able to detect the virus, but if  it's that same virus, it infects both the system files that are  important and also the restores on the pc. We were unable to find an  alternative way to remove the hack from regular pc's without completely  reinstalling the operating system.

This probably isn't what you wanted to hear, but hopefully our nightmare will help you solve your problem and maybe you can find a way around losing all your data.