Results 1 to 7 of 7
  1. #1
    Join Date
    Feb 2004
    Posts
    1,226

    I'm stuck with that hacking..

    around 2 days ago a "hacker" started to run perl scripts on my server
    although I have a "script killer" running each 3min, it's bothering me that he's running those scripts

    I use Perl as CGI, but he's probably using some PHP (I use PHP as apache module) to call it, so it's run with apache user and I can't find which user/site is the culprit

    I've done some pretty "sophisticated" things, like:
    1) script that request an "lsof" of the processes when it detects apache running a perl script

    2) recording the time the script started running, getting all the logs from 1 minute before and the current time from all domains and making an intersection to find out which script was being called on all these moments


    but nothing of that helped
    1) the complete path of the script (I was trying to at least find out where the script was being stored) doesn't show up on lsof
    I'm guessing he runs it and delete it right after

    2) the few domain that intersected (and were not google bots) doesn't seem to have anything suspicious


    any other ideas on how to track that (if possible, without needing to recompile apache)?

    thanks

  2. #2
    I have some questions
    Is the process of penetrating the penetration of your server? Fully

    Is access to the Root?

    Or the forums on your server?

    Why Perl do not close down?

    <<snipped>>

  3. #3
    Join Date
    Feb 2004
    Posts
    1,226
    Quote Originally Posted by Anass Atef View Post
    I have some questions
    Is the process of penetrating the penetration of your server? Fully

    Is access to the Root?

    Or the forums on your server?

    Why Perl do not close down?

    <<snipped>>

    sorry, I didn't understand the questions
    it's not root access... probably a PHP (apache module) calling a perl (CGI)

  4. #4
    Join Date
    Apr 2009
    Location
    Winnipeg, MB, Canada
    Posts
    21
    Enable SMTP authentication? CPanel server? there is an option in Tweak settings.

  5. #5
    Join Date
    Feb 2004
    Posts
    1,226
    hm, SMTP??

  6. #6
    Hi Lem0nHead,

    It is difficult to track such scripts which are executed under the Apache user and if they are deleted right after execution, it is even more difficult to figure out what they did.

    The only logs you have to check is the domlogs and the server logs to see who uploaded the files. The logs are

    /var/log/messages
    /usr/local/apache/domlogs/domain.tld

    These logs might give you an idea who uploaded them and when.

    Also make sure you mount /tmp partition as noexec and nosuid mode so that such scripts are not executed within that partition.

    BTW, it has nothing to do with the "SMTP authentication".
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  7. #7
    Join Date
    Feb 2004
    Posts
    1,226
    thanks for the help

    I used mod_security to alert me of any ".pl" content on requests and it seems I found the culprit
    it looks like the "hacker" was calling the domain using IP/~username/ , so it didn't show on his domain log


Similar Threads

  1. stuck :(
    By Hanr in forum Web Site Reviews
    Replies: 2
    Last Post: 08-01-2006, 11:22 AM
  2. Well if you are going to get stuck somewhere...
    By Teh_Winnar in forum Web Hosting Lounge
    Replies: 5
    Last Post: 06-02-2006, 09:33 PM
  3. Hacking server !!! not hacking accounts anymore
    By AndyJ in forum Hosting Security and Technology
    Replies: 22
    Last Post: 01-24-2005, 04:53 PM
  4. I think that I`m stuck on 8...lol
    By acidhosting in forum WHT Announcements, Feedback and Questions
    Replies: 6
    Last Post: 03-25-2003, 04:32 PM
  5. Stuck
    By scapes in forum Domain Names
    Replies: 6
    Last Post: 09-10-2002, 05:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •