Normally I just lurk hoping to pick up a thing or two but today I'd like
to comment. Way back when I ran across a script called "COPS" that runs
daily. It was/is a collection of scripts, one of which is:
find / | sum > thisrun
diff thisrun lastrun | report
mv thisrun lastrun
run = d
I'd start by running strace on the Apache PID that's running bash - strace
-pPID, see man strace for more information. You may have to install the
package, if strace isn't currently installed. This should give you an idea of
what the process is doing, if anything.
You could also look for exec,
I think you can also check access log with grep if any call to bash script.
Thanks
Vishesh Kumar
http://linuxmantra.com/
On Mon, Nov 11, 2013 at 9:50 AM, Mauricio Tavares wrote:
> On Sun, Nov 10, 2013 at 9:36 PM, Rizwan Raza
> wrote:
> > There is a bunch of php scripts on the server. Not sure
On Sun, Nov 10, 2013 at 9:36 PM, Rizwan Raza wrote:
> There is a bunch of php scripts on the server. Not sure how to inspect and
> find out the hijacked piece. I would appreciate any suggestion(s)
>
You could start by seeing if any of the files have been changed
recently (OS-specific; are yo
There is a bunch of php scripts on the server. Not sure how to inspect and
find out the hijacked piece. I would appreciate any suggestion(s)
On Sun, Nov 10, 2013 at 6:55 PM, Nick Kew wrote:
>
> On 11 Nov 2013, at 00:15, Rizwan Raza wrote:
>
> > Notice the last two listings. What does that mean?
On 11 Nov 2013, at 00:15, Rizwan Raza wrote:
> Notice the last two listings. What does that mean? Is my Apache instance
> hacked?
Maybe.
The most likely origin of a shell from apache is from a script.
That could be a vulnerable script that's got hijacked, or a script
that intentionally runs a
When I executed the command below
ps aux | grep apache
I got the following output
apache 16051 0.0 0.1 24676 4532 ?S15:04 0:00
/usr/sbin/httpd
apache 31784 0.2 0.4 40164 13424 ?S15:52 0:02
/usr/sbin/httpd
apache5412 1.5 0.4 41216 13776 ?S
