I am running suse 9.3 and ispconfig. I run rkhunter regularly and never found any problems with root kits until today when all sites on my server had been hacked by By BeLa & BodyguarD I then ran rkhunter and found nothing unusual. Then i started to check all the files and folders in one of the sites and found that the index.php had been hacked. I replaced it with a backup and bingo i am back in business. Is there anyway that i can find out how the hacker managed to penetrate my servers security? By the way I googled By BeLa & BodyguarD and found that this hacker was mainly concentrating on hacking forums shajazzi
By which linux users have the replaced files been owned? The apache user? Do you run PHP as mode_php or SuPHP? Do you use PHP safemode on and is your PHP up to date? Are all the replaced index.php files from a specific Conetnt management sytsem like drupal, wordpress, typo3,... ?
The replaced files are owned by User: wwwrun and group www, PHP runs as mod_php php save mode is off rkhunter now shows php4 is not up to date All site are running on mambo and joomla I have notice quite a few issues since i did an apt-get upgrade on this server. YAST ONLINE updater shows an update for php4 and updates successfully but when i run rkhunter again it shows php4 is not upto date. I have another server ready to run with suse 10.0, i know what you are going to say, why didn`t you install debian, the answer to this is that i could never get it to install properly on my 64bit systems and had similar problems with ubuntu. So it looks like i am stuck with suse for the time being , which i am happy with. I also have a copy of xandros linux, puppy linux and damm small linux among many others but cannot find any decent server setup suggestions around at the moment so i will leave them for later date shajazzi
