For anyone who has been exploited here is something you can do to check for a common shell script if you continue to have issues after the exploit has been fixed:
I recently had some issues with my server being compromised due to previous CMS exploits... The problem didn't stop even after fixing the exploit due to a shell script. I found that script today and a find recipe that will search for it:
http://forums.digitalpoint.com/showthread.php?t=575793
find /var/www/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
find /var/www/ -name "*".txt -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
If you're searching for a c99shell, replace grep r57 with c99shell in codes.
Security | Recovering from an exploit
-
Pierre M.
Re: Security | Recovering from an exploit
I disagree. I think searching for foreign hidden scripts and eventually finding them all is not as efficient as destroying everything to be sure the land is sane for a new fresh install from a sane official package (as it was when the hosting provider delivered the hosting space). Erase-destroy catches all intruding technologies (present, past and future) and is an error-proof procedure.
Pierre M.
Pierre M.
