Hack Attack
For the last year or so, I have a site that sends me an email listing all the new and modified files on the server.
This morning, these entries caught my eye:
/var/www/html/
/var/www/html/c99.php
The c99 file was not supposed to be on the server.
Listing the /var/www/html directory, I found:
-rw-r–r– 1 nobody nobody 7293 Aug 1 04:58 (at sign).php
-rw-r–r– 1 nobody nobody 162032 Jul 31 05:57 c99.php
-rw-r–r– 1 nobody nobody 0 May 23 01:36 index.html
-rw-r–r– 1 nobody nobody 44283 May 23 01:36 Dont.Touch.php
I went back in my email Inbox, and found that the May 23 email was never received - cron had stopped on the server, and a ticket was sent to restart it.
The hosting company recommended I update some file and directory permissions, which I did, with the following commands:
find -type f | xargs chmod 644
find -type d | xargs chmod 755
These set permissions for a files to 644, and all directories to 755.
Tarred up the files and sent them to the hosting company, along with some notes.
On the bright side - nothing was lost, and the cleanup was pretty straightforward.
The error log showed execution attempts, which failed, and that IP address has been blocked.
Hack was not on this server.
Print article | This entry was posted by elvis on 08/01/10 at 07:30:36 am . Follow any responses to this post through RSS 2.0. |