01-14-2011, 05:15 PM
|
|
Junior Guru
|
|
Join Date: Oct 2009
Posts: 218
|
|
File: /tmp/sessionv nobody:nobody (99:99)
Hello ,
i receive the below notification since 1jan11 , i`m using CSF / CXS on the server and i`ll be pleased if anyone can help me and let me know how to identify the account which wrote this file ,
Time: Fri Jan 14 19:31:30 2011 +0330
- Hide quoted text -
File: /tmp/sessionv
Reason: Script, starts with #!
Owner: nobody:nobody (99:99)
Action: No action taken
|
01-14-2011, 05:35 PM
|
|
Disabled
|
|
Join Date: May 2006
Posts: 1,398
|
|
looks like uploaded through apache php running as nobody. If you go to suphp you will be able to identify the user in the future
you can try to grep apache logs for that to see where it may have been uploaded at
|
01-15-2011, 02:58 AM
|
|
Junior Guru
|
|
Join Date: Oct 2009
Posts: 218
|
|
Hello
Thank you for the reply,
i have received the eror more than 50times in the past 2 weeks . it should`t be a system update .
However , i`m afraid to change the php mode to Suphp , i think some of our websites are going to get different problem because of this change . .htaccess has been edited by some users so what will happen if we change the php mode ?
|
01-15-2011, 03:59 AM
|
|
Web Hosting Master
|
|
Join Date: Jul 2009
Posts: 1,495
|
|
When you change to SuPHP you will have to ask your clients to create a php.ini file under their account and place the php directives in it instead of .htaccess. Also the files/directories should have 644/755 permissions. 777 won't work.
You can send a notification to the clients a few days ago about the change, so they will be ready for it. Also changing of permissions from 777 to 755 is very easy from SSH.
|
01-15-2011, 05:07 AM
|
|
Platinum quality
|
|
Join Date: Jul 2005
Location: New Jersey, US
Posts: 1,302
|
|
It's very hard and sometimes impossible to track it without putting php in cgi mode (phpsuexec or suphp). Change php to a mode like suphp and install modsecurity, this will help prevent as well as track where the hack is coming from. These are known to cause some problems as well as intefere with some legit scripts, so make sure you check your sites and are familiar with changing permissions, ownership, etc., before doing this.
__________________
 PlatinumServerManagement (also known as PSM)
The OLDEST and LARGEST server management provider in the USA, with 15+ employees and growing!
Providing quality support for OVER 14 years! Currently supporting over 3,000 servers monthly!
www.PlatinumServerManagement.com Proud member of the NJ BBB & Chamber of Commerce, and Authorized Cpanel Partner. |
01-18-2011, 01:12 AM
|
|
Junior Guru
|
|
Join Date: Oct 2009
Posts: 218
|
|
Quote:
Originally Posted by ServerManagement
It's very hard and sometimes impossible to track it without putting php in cgi mode (phpsuexec or suphp). Change php to a mode like suphp and install modsecurity, this will help prevent as well as track where the hack is coming from. These are known to cause some problems as well as intefere with some legit scripts, so make sure you check your sites and are familiar with changing permissions, ownership, etc., before doing this.
|
Hello , i have edited the file and that is a Hack script , we don`t have much time to notify the users & etc...
and my question is : can we change the PHP to CGI through 'Configure PHP and SuExec' for few hours and then change it back ? infact i want to identity the hacker . i know that during this change some websites will get problem but i dont have any option now .
additional information : currently my php is DSO and 'Apache suEXEC' also is on
Last edited by monitor2000com; 01-18-2011 at 01:15 AM.
|
01-18-2011, 01:31 AM
|
|
Disabled
|
|
Join Date: May 2006
Posts: 1,398
|
|
ya u can change back with recompile but why? Stay with suphp/cgi, very best advice you can get on this situation plus modsecurity with a good ruleset.
|
01-18-2011, 01:37 AM
|
|
Junior Guru
|
|
Join Date: Oct 2009
Posts: 218
|
|
Quote:
Originally Posted by jon-f
ya u can change back with recompile but why? Stay with suphp/cgi, very best advice you can get on this situation plus modsecurity with a good ruleset.
|
i want to do to find the user and then change it back , we notify the other users and then we go for CGI once again after 10 days ,
so if i want to change it temporally to identify the user ,,, can u plz assist me and let me know the steps ?
|
01-18-2011, 01:39 AM
|
|
Disabled
|
|
Join Date: May 2006
Posts: 1,398
|
|
why don't you just cat error_log and messages to see how it is either uploaded or posted through someone's script or upload form? OR do a general search for shells and such in all home directories with maldet or known search strings.
|
01-18-2011, 03:51 AM
|
|
Junior Guru
|
|
Join Date: Oct 2009
Posts: 218
|
|
Quote:
Originally Posted by madaboutlinux
When you change to SuPHP you will have to ask your clients to create a php.ini file under their account and place the php directives in it instead of .htaccess. Also the files/directories should have 644/755 permissions. 777 won't work.
You can send a notification to the clients a few days ago about the change, so they will be ready for it. Also changing of permissions from 777 to 755 is very easy from SSH.
|
Hello ,
i have opened a new topic to change the PHP handler , i`ll be pleased if you could open the link and answer me :
http://www.webhostingtalk.com/showthread.php?t=1014997
|
01-18-2011, 04:08 AM
|
|
Web Hosting Master
|
|
Join Date: Jul 2009
Posts: 1,495
|
|
I have already replied you there..
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
