is my server hacked ? urgent

Discussion in 'General' started by piyush, Jul 22, 2011.

  1. piyush

    piyush New Member

    OK I have applied that to all websites. Hopefully now I should see the different username than www-data. is that right ?
     
  2. erosbk

    erosbk New Member

    Yes, each site will run with his own user with suexec enabled.
     
  3. postcd

    postcd New Member

    There are more suggestions on what to do when you google: +"httpd.pl"
    Onse suexec is enabled and you see which user is running httpd.pl you can find last modiffied/created files in that account. And clean it, but it will get re-infected if you will not set all folders and files immutable bit (chattr -R +i /path/to/user/website/dir/), once done files will not be able to modify or create, some script functions may break. To remove protection, replace +i by -i
    Another solution is to backup mysql of the infected account and backup files. Then delete whole infected account, create new, install content management system (same version as the infected one) and apply your mysql, then update content management system. Backup regularly as bad bots will try to infect you again and abuse you.
     

Share This Page