Possible Duplicate:
My server’s been hacked EMERGENCY
Earlier today I found a lot of weird files on one of my servers (running Ubuntu Server 10.04), which I can't understand how they got there. Probably some sort of XSS-injection, need to dig further in my applications.
What I found; Multiple directories in the web roots of several domains, with short names ("wesz", "aog0", "uioolz", ...) containing the exact same files and file structures. Google doesn't tell me anything about these files or directories, so I put them here. It looks like a landing page for some MITM against Microsoft Live and it's users.
File structure:
- uioolz (or similar short named directory)
dataz.php
index.php
go.php
smart.php
- fll
<HTML, CSS & JS files for MITM>
Does anyone recognize them and/or can tell me how they could appear in my webroots?
I've run multiple tools to check for root kits, digging in logs, bash histories, etc, but I can't find anything that indicate that the attackers had a shell (or they are really good at hiding it). The found directories and files also had the apache user as owner and group, which may indicate that they were uploaded through an injection attack. However, that I found the exact same files and directories in multiple web roots, domains that have nothing in common, still bugs me. This may indicate that they actually got a shell... But not all of the domains on the server was attacked, only a small subset.
How can I proceed? At the moment I have no chance of do a clean install, but it will be done.
Are there any useful tools that can check for XSS or other types of injection vulns?
I can also add that the intruders files seems to send information to two external domains (specifically to a gta.php);
http://colorpop.com/wp-content/plugins/mailchimp/gta.php?info=<BASE64-INFO>
http://oderena.lt/gta.php?info=<BASE64-INFO>
Domains registered via a proxy registrar.
