0

I am facing some malware problems on my webserver.

I updated third party software such as Wordpress to the latest version, disabled root logins and my users password complex enough but still someone or something is changing my index.php files, adding some code that causes malware alerts on many visitor's browsers.

Now as I'm not able to find out who or what is doing that, I think about watching one of the index.php files which are changed periodically so I can see who is accessing it.

I would like to know what program and user is accessing it. Is there any possibility to do so? I checked inotify-tools, but it seems it simply tells me about changes, but not who is changing it, am I right?

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
NovumCoder
  • 143
  • 1
  • 6
  • Since your box has been compromised, there's plenty of suggested reading here: http://serverfault.com/q/218005/26130 http://serverfault.com/q/218138/26130 http://security.stackexchange.com/q/9234/1472 – Ladadadada Apr 03 '13 at 13:32

3 Answers3

2

I have had a pretty good experience with the package auditd (found in apt). It is a comprehensive audit logging daemon. The only possible problem here is you definitely need root access to install it.

Some basic instructions can be found at http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

Ahrotahntee
  • 146
  • 4
  • @NovumCoder This is worth a read too: http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/ – Ladadadada Apr 03 '13 at 13:26
0

but not who is changing it, am I right?

Not really.

Most likely the site is being exploited remotely via the php scripts running on it (AFAIK the current version of Wordpress is reasonably secure but there are a lot of third-party plugins riddled with vulnerabilitites). If this is the case then all you'll see is the uid which your PHP runs as - you'll then need to reconcile this with your webserver logs to see where the attack might have come from. But does that help you solve the problem? I think not. (also checking against the wtmp log).

A partial solution might be to ensure that the all the files are not writeable by the PHP uid. Which provide some protection - but you'll lose any visibility you have of how the files are being modified.

If it were me, I'd go with inotify/log reconcilliation approach - but I'd want to find the vulnerability and eliminate it.

symcbean
  • 19,931
  • 1
  • 29
  • 49
0

If it's a windows box you can enable auditing on that directory.

IIS: http://blogs.msdn.com/b/webtopics/archive/2010/03/19/iis-7-5-how-to-enable-iis-configuration-auditing.aspx

Server 2008 & GPO: http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/da689e43-d51d-4005-bc48-26d3c387e859/

Travis
  • 870
  • 8
  • 23