I'd start by running strace on the Apache PID that's running bash - strace -pPID, see man strace for more information. You may have to install the package, if strace isn't currently installed. This should give you an idea of what the process is doing, if anything.
You could also look for exec, system, etc functions in the php scripts by grep'ing for the functions. Check the php manual for a full list functions. Mauricio Tavares <[email protected]> wrote: >On Sun, Nov 10, 2013 at 9:36 PM, Rizwan Raza <[email protected]> >wrote: >> There is a bunch of php scripts on the server. Not sure how to >inspect and >> find out the hijacked piece. I would appreciate any suggestion(s) >> > You could start by seeing if any of the files have been changed >recently (OS-specific; are you running Linux?) or something has been >uploaded (if it is still there). Shell exploits would be in the later >group. Can people update files to your server? I myself have written >one of those, and it would tell me stuff like user I am running as, >OS/apache/php version, kernel (if linux), and so on. And that was >before I went about exploring. > >I think OWASP has some kind of test for weaknesses; at least they have >docs on best practices. > >I would also think the apache log files would show something like a >given ip sending commands out to the server (trying to find a >weakness). > >Look on the bright side: at least apache is not being run as root. >> >> On Sun, Nov 10, 2013 at 6:55 PM, Nick Kew <[email protected]> wrote: >>> >>> >>> On 11 Nov 2013, at 00:15, Rizwan Raza wrote: >>> >>> > Notice the last two listings. What does that mean? Is my Apache >instance >>> > hacked? >>> >>> Maybe. >>> >>> The most likely origin of a shell from apache is from a script. >>> That could be a vulnerable script that's got hijacked, or a script >>> that intentionally runs a shell. Processes hanging around >>> could mean a script that didn't run&exit cleanly (and should >>> be fixed). >>> >>> Take a long hard look at your scripts, and look for any clues >>> in your error log. >>> >>> -- >>> Nick Kew >>> >--------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [email protected] >For additional commands, e-mail: [email protected] -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
