I think you can also check access log with grep if any call to bash script.
Thanks Vishesh Kumar http://linuxmantra.com/ On Mon, Nov 11, 2013 at 9:50 AM, Mauricio Tavares <raubvo...@gmail.com>wrote: > On Sun, Nov 10, 2013 at 9:36 PM, Rizwan Raza <rizwan.r...@gmail.com> > wrote: > > There is a bunch of php scripts on the server. Not sure how to inspect > and > > find out the hijacked piece. I would appreciate any suggestion(s) > > > You could start by seeing if any of the files have been changed > recently (OS-specific; are you running Linux?) or something has been > uploaded (if it is still there). Shell exploits would be in the later > group. Can people update files to your server? I myself have written > one of those, and it would tell me stuff like user I am running as, > OS/apache/php version, kernel (if linux), and so on. And that was > before I went about exploring. > > I think OWASP has some kind of test for weaknesses; at least they have > docs on best practices. > > I would also think the apache log files would show something like a > given ip sending commands out to the server (trying to find a > weakness). > > Look on the bright side: at least apache is not being run as root. > > > > On Sun, Nov 10, 2013 at 6:55 PM, Nick Kew <n...@webthing.com> wrote: > >> > >> > >> On 11 Nov 2013, at 00:15, Rizwan Raza wrote: > >> > >> > Notice the last two listings. What does that mean? Is my Apache > instance > >> > hacked? > >> > >> Maybe. > >> > >> The most likely origin of a shell from apache is from a script. > >> That could be a vulnerable script that's got hijacked, or a script > >> that intentionally runs a shell. Processes hanging around > >> could mean a script that didn't run&exit cleanly (and should > >> be fixed). > >> > >> Take a long hard look at your scripts, and look for any clues > >> in your error log. > >> > >> -- > >> Nick Kew > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > >> For additional commands, e-mail: users-h...@httpd.apache.org > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- http://linuxmantra.com
