1

Possible Duplicate:
My server's been hacked EMERGENCY

So I noticed some files/folders on my webserver and investigating leads the fact that a brute force attack via SSH was done on my server (there is a file in a folder called unix which is titled UnixCoD Atack Scanner so I know what is is for plus another file with username/password combos)

What should I investigate to try and detect what has been compromised. I have looked through the only .bash_history file I could find and only my commands are present.

Before this I had never heard of UnixCoD, I had seen the .bash_history file but didn't know what it was, so you can gauge my level of expertise.....

Also would a service like Cloudflare Cloudflare Security Features be a solution to some of the issues?

Any help will be appreciated

Community
  • 1
Kobby Owusu
  • 11
  • 2
  • Lots of useful information can be found in this question. http://serverfault.com/questions/218005/my-servers-been-hacked-emergency – Zoredache Oct 13 '11 at 22:16
  • Thanks @Zoredache Taking a good look at the referenced questions. – Kobby Owusu Oct 14 '11 at 13:52
  • @Zoredache i've seen your posts around so you seem as good as any to ask. I have installed rkhunter and done a test run and there were a few warnings, is this the right place to ask for help if it means anything? I don't want to break any forum rules and tick the people helping me off – Kobby Owusu Oct 14 '11 at 13:55
  • If you have a good clear question, then you can certainly ask it, though there is a lot of strong feelings here that the only right solution after a compromise is to nuke the box from orbit. – Zoredache Oct 14 '11 at 17:41

1 Answers1

0

It's trivially easy to bypass the .bash_history file. Some logs worth looking at, depending on what's installed on your server:

  • /var/log/messages
  • /var/log/auth.log (if present)
  • /var/log/secure.log (if present)
  • Apache error logs (there may be clues on which scripts may have been called/exploited)

Are the files inside your webroot (i.e. the folder where your website is served from) or outside? This may also give you a clue to the attack vector.

gac
  • 459
  • 2
  • 7
  • The folder is within the webroot, I use WordPress where the attack happened, it was inside one of the more public folders of WordPress, I am investigating how to make access to that folder less permissive (currently 775) if that's possible – Kobby Owusu Oct 14 '11 at 13:29