Question : How has my server been compromised?

Hi,

My website has been penetrated. As far as I can tell only a PHP footer file has been edited, with a malicious iframe code added that attempts to install a virus via the browser. A similar attack occurred approximately 8 months ago. I'm not sure if it's the same attacker or whether the same method of entry was used (which has eluded me).

This was the security scenario in the latest attack:
- apache was running under its own user/group (not nobody)
- the edited footer file had permissions -rw-r--r-- and was not owned by apache or nobody

I don't believe the attacker has SSH access. I believe the security hole is in the web application layer. My website accepts file uploads and gives users the ability to install custom style sheets which are hosted on the server. However, I'm certain that I'm not executing any of these things as PHP code, and besides, it is impossible for apache/php to modify the footer file due to its ownership and permission. How could this file have been edited? How could the user elevate their privilege from the web user to the file owner (or higher)? Has my own client been compromised? I ran every rootkit program I could find - on my server and my client - and found nothing. I looked at my ssh logs, lastlog, .bash_history - couldn't see anything. I don't believe a password and/or pub key was stolen. I run ubuntu, but also run WinXP as a virtual machine - this is the only vulnerability I can think of on my client.

PHP 5.2.13
Apache/2.2.12
Linux 2.6.18-194.8.1.el5PAE (Centos)

Help!

Thanks

Answer : How has my server been compromised?

You may or may not be suffering from the exact same attack we've recently gone through, but it does sound like it. After days of restorals and changing passwords and it happening all over again - in the end we found one person was infected directly on their pc with a keystroke recording virus.

Once the attacker was able to grab a root ftp user and pw, they were able to infect and spread through out that full server and in some cases use what they found to hit another server through that host.

They were also trying to grab ftp software info and just randomly guess at passwords to gain initial access they hadn't already gotten.

It took almost 2 weeks to completely stop and restore all sites from the problem. The infected user had to completely reinstall 3 of their computer operating systems. Then we restored backups where we had them and manually removed from other sites that didn't have a far enough backup with the hack. Then changed every pw for every site to something new and more difficult.

Using Malware Bytes software seem to be able to detect the virus, but if it's that same virus, it infects both the system files that are important and also the restores on the pc. We were unable to find an alternative way to remove the hack from regular pc's without completely reinstalling the operating system.

This probably isn't what you wanted to hear, but hopefully our nightmare will help you solve your problem and maybe you can find a way around losing all your data.

Random Solutions

Need a forum script

creating system restore point

capturing deletes

Redistributing RIP into OSPF non-contiguous subnets.

SQL Sever 2008 evaluation expired

Dell inspiron 1720 BCM2045 bluetooth driver for Windows XP Professional.

windows 2003 server can't access internet

How to set up a process that updates a UserRoleID, generates a password, and sends an email message all at once?