Hi there, my root server (debian lenny) was hacked and a lot of files were deleted from the /var/www/webXX folders. I have checked access loggs and there were no failed or successful SSH logins at the time the hacking took place, apart from ones from my own IP. I checked the apache logs and found no "exec" calls or anything like that (although I'd be happy to post the logs for inspection here). FTP logs are clean, no FTP logins at the time of the hack. I do have a website for uploading/sharing images (for members of one of my forums) which is based on a free no-name picture upload script, which can also be seen in operation here: http://www.nainoom.co.cc Also one of my forums (vBulletin) has a flash chat by Tufat integrated. Those two seem to be two prime candidates for security problems (in my opinion). So now they are both offline and I don't want to bring either one of them back before I can figure out what happened. Since the hacker/script that entered my server deleted files en-masse I could imagine that they deleted the offending script too. What do you guys think? Forums/Websites were all up to date versions of their respective software.
The actual question here, which I forgot to post (lol): Are there any tools that help look for malicious files?
OK, I've run the script but I'm not sure about the results. I've uploaded the log of the scan (attached). Does anyone have any hints?
Thanks falko. When looking for suspicous files myself: am I right in thinking that the first/best place to look for them are folders that users can upload stuff to via forums/scripts/websites?
Yup. Also weak passwords (I had someone get in on a demo account and use my box for ssh brute force attempts)
Hm. All my passwords are 10 digits plus with numbers, letters in mixed case and most have a special character or two thrown in.
Check your apache logs for anyone accessing the AdminCP directory that does not have your IP. Also, check your logs for file requests that start with a . (period) or that have suspicious $_GET[''] lines like (?act=SELECT+*+FROM+*)
