I've inherited a web server that's been compromised. Trying to figure out why apache was hanging and the causes of high server load, I found several copies of perlbot 4.5 in /tmp. I'm now trying to figure out how they got in the machine so I can close the hole(s). Ive been looking at various scanners, nessus seems nice, and I ran a scan on the machine and one of the websites hosted.
But there are a couple hundred sites, too many for anyone to know the ins & outs of all of them, and I'm new here so I really have no idea what they might be doing.
Is scanning each site the best option?
How would you check so many sites on the same machine for issues?
EDITED TO ADD: we are wiping everything and restoring from back ups. Which is good but still leaves us open to the original vulnerability. Scan each site one at a time with Nessus or Metasploit to try to figure out what that vuln is?
EDIT 2: It was phpmyadmin. Even though that would have been something I would have upgraded as soon as I noticed we were running it, I found out the problem specifically by pouring through apache logs. nessus and metaspolit were neat but not helpful. (I may not understand how to fully utilize them though, I just ran basic automated scans).
Answer
find / -mtime -1
Replace -1 with the number of days since when you think the intrusion happened. By finding the files that were modified, you have a fairly good chance of figuring out which site was used to get in. For instance, look for uploaded backdoor scripts in image folders and things of that nature.
No comments:
Post a Comment