| Posted by Lem0nHead, 10-16-2009, 10:58 AM | | around 2 days ago a "hacker" started to run perl scripts on my server
although I have a "script killer" running each 3min, it's bothering me that he's running those scripts
I use Perl as CGI, but he's probably using some PHP (I use PHP as apache module) to call it, so it's run with apache user and I can't find which user/site is the culprit
I've done some pretty "sophisticated" things, like:
1) script that request an "lsof" of the processes when it detects apache running a perl script
2) recording the time the script started running, getting all the logs from 1 minute before and the current time from all domains and making an intersection to find out which script was being called on all these moments
but nothing of that helped
1) the complete path of the script (I was trying to at least find out where the script was being stored) doesn't show up on lsof
I'm guessing he runs it and delete it right after
2) the few domain that intersected (and were not google bots) doesn't seem to have anything suspicious
any other ideas on how to track that (if possible, without needing to recompile apache)?
thanks
|
| Posted by Anass Atef, 10-16-2009, 11:09 AM | | I have some questions
Is the process of penetrating the penetration of your server? Fully
Is access to the Root?
Or the forums on your server?
Why Perl do not close down?
<>
|
| Posted by Lem0nHead, 10-16-2009, 11:34 AM | | sorry, I didn't understand the questions
it's not root access... probably a PHP (apache module) calling a perl (CGI)
|
| Posted by BinaryCanary, 10-16-2009, 02:08 PM | | Enable SMTP authentication? CPanel server? there is an option in Tweak settings.
|
| Posted by Lem0nHead, 10-16-2009, 02:19 PM | | hm, SMTP??
|
| Posted by madaboutlinux, 10-16-2009, 02:55 PM | | Hi Lem0nHead,
It is difficult to track such scripts which are executed under the Apache user and if they are deleted right after execution, it is even more difficult to figure out what they did.
The only logs you have to check is the domlogs and the server logs to see who uploaded the files. The logs are
/var/log/messages
/usr/local/apache/domlogs/domain.tld
These logs might give you an idea who uploaded them and when.
Also make sure you mount /tmp partition as noexec and nosuid mode so that such scripts are not executed within that partition.
BTW, it has nothing to do with the "SMTP authentication".
|
| Posted by Lem0nHead, 10-16-2009, 03:25 PM | | thanks for the help
I used mod_security to alert me of any ".pl" content on requests and it seems I found the culprit
it looks like the "hacker" was calling the domain using IP/~username/ , so it didn't show on his domain log
|
|
 Add to Favourites
 Print this Article
|
