[Cialug] URGENT! How to list all files new/modified last 24 hours

Josh More jmore at starmind.org
Fri Oct 26 11:17:44 CDT 2012


Ask your hosting company to ship you a USB drive with all the data on
the server.  The email will likely be in either mbox or maildir
format, which is easily convertible.

Once it's back, enable Mod_Security2 with the OWASP core rules and PHP
Suhosin.  Look at using AppArmor with Change_Hat.  Oh, and code
better.  ;)

If you want to test it out when it's back up, sqlmap, skipfish and
arachni are free.

-Josh More


On Fri, Oct 26, 2012 at 11:10 AM, Afan Pasalic <afan at afan.net> wrote:
> The server is already off. Only I have access by ssh.
>
> I was lucky it happened while I was working on the server. Then hit the arrow key in terminal, to repeat the last command it showed something I didn't use. By hitting few more times I saw stuff I never used and also I saw where they planted shv5.zip, unzipped it and set it up.
> I called the hosting company to shut it down immediately. But, in meantime they changed every index.php file to their own index file with "Anonymous" message, proclamation and other shit. On all my websites.
>
> Looks like they got in through my old website I coded myself. They found the hole.
> I talked to tech support and the guy said they got in through FTP but I doubt it.
>
> I'm downloading all stuff on my local computer and have to let them to clean everything, clean instal, everything from scratch.
>
> I don't know how to save emails because he said he has to delete all email too :(
>
> Any idea how to save emails even as simple text files, to have access later to the content?
>
>
> On Oct 26, 2012, at 11:02 AM, Nicolai wrote:
>
>> On Fri, Oct 26, 2012 at 09:24:53AM -0500, Matthew Nuzum wrote:
>>> I would strongly suggest taking the server off line, backing up critical
>>> files and restoring it clean and patched. I've been in your shoes, trying
>>> to find and fix a security breach is like playing whack a mole and you
>>> never have full confidence that you have it truly secure.
>>
>> I second this, and I'd like to add that OP should consider replacing
>> some software with secure alternatives that don't require regular
>> patching and panic.
>>
>> Afan, what software do you think was the culprit?  Also, what leads you
>> to believe your machine was compromised?
>>
>> Nicolai
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug


More information about the Cialug mailing list