[nycphp-talk] Issues with server getting hacked
Chris Snyder
chsnyder at gmail.com
Fri Sep 11 15:11:56 EDT 2009
On Fri, Sep 11, 2009 at 2:37 PM, Randal Rust <randalrust at gmail.com> wrote:
>
> "Your VPS has been either hacked or an insecure script has been used
> to upload stuff. We have tar'ed up the data was being used
> (/tmp/b.tar.gz) You need to have your developer take a look at your
> sites code to determine any vulnerabilities"
>
> To which I responded, "ok, assume that we believe all of our scripts
> are secure. in looking at the logs, how do i pinpoint that someone
> is/was trying to upload something?"
>
> Tech support was less than helpful after that. So I pose the question
> to the list. How do I pinpoint the issue? There are about five domains
> running on the site, and we did not have any issues until we upgraded
> a ZenCart install for one of the sites.
They tar'd up the data from where? It might help you to know what
directory it was uploaded to. Although a clever rootkit would cover
its tracks, a clever kit wouldn't take down your server.
But really, the problem could be anywhere in the system. Was the OS up
to date? Latest version of PHP? Anything hand-compiled that hadn't
been updated in a long time? Are there FTP accounts (unencrypted)?
Anyone lazy about their passwords?
There are a lot of ways for a box to get hacked. But as Tim just
pointed out, it's usually something simple and obvious, like
connecting to FTP from Starbucks or emailing a password from an
internet cafe while on vacation.
More information about the talk
mailing list