0

This morning i found movies inside my server (debian VPS, apache,webmin/virtualmin), files are located in /var/log/roundcube/./ and the user/group is www-data

I looked in my log (apache,proftp,auth) and i didn t found weird lines. rkhunter found nothing bad.

how can i check the history of a file (in hidden folder) or the way that the user uploaded movies in this folder.

i guess it s a backdoor but when i scan my website i found nothing bad.

i think i ll cut my website for a while and see if there is new movies in folder, if yes it means that the user have ftp/ssh access or that the backdoor is not in my var/www/

Thanks by advance

devseo
  • 101
  • 1
  • If files are appearing in your server without a legitimate user having put them there, then your server has been compromised. There is no other way this happens. – Jenny D Nov 24 '15 at 10:10
  • Jenny you re not helping here, of course my server is compromised , but there is different level of this problem, i mean i need to found the entry before reopen my server. my current step is "Analyze the intrusion, get logs, figure what went wrong" and the question 218005 is not helping in this sense. anyway thanks for your time – devseo Nov 24 '15 at 17:37
  • So there is my solution to found the backdoor: analyse the output of lsof cmd, i looked for a lot of words and also the folder "/." and i found in /var/cache/apache2/ the backdoor, so now i have more information to clean my server, thanks for everyone helping, but remember please, that for non adminsys sometimes it can help to just give cmd name and analyse the output. – devseo Nov 25 '15 at 11:12

1 Answers1

1

Given the location of the files and the ownership I would assume that the attacker got in through a vulnerability in Roundcube and then uploaded the files. The best way to really go around this is to run a stat command on the files (stat movie.avi) and see when the file was actually uploaded. After you get the timestamp, you should check the Apache logs for that time frame to see how the attacker got in. rkhunter wouldn't find anything as this is not the actual OS being compromised, most likely it's using a vulnerability in Roundcube. Also, to make sure this doesn't happen again, you should upgrade Roundcube and disable shell_exec, allow_url_fopen, allow_url_include if at all possible.

Mugurel
  • 873
  • 1
  • 8
  • 17