Originally Posted by
LinuxBeginer
inside the site directory are created automatically a bunch of directories with links to some other sites. If i delete them, they are created back.. Directory's are created with an user/group id that is not listed in /etc/pasw.
- Start by reading the CERT Intruder Detection Checklist. While stale it still contains useful steps to perform not listed below,
- list user nfo, the process table, open files, network connections and the cron spool (it's good to have this nfo regardless):
Code:
( lastlog 2>&1; last 2>&1; who -a; ps acxfwwwe 2>&1; lsof -Pwln 2>&1; netstat -Tanpe 2>&1; ls -al /var/spool/cron 2>&1; ) > /path/to/file
- list files in /tmp, /var/tmp and the $DOCROOT (might hold clues):
Code:
find /tmp /var/tmp /var/www -printf "[%T@|%A@|%C@|%u|%g|%m|%l|%s|%y|\"%p\"]\n" 2>&1> /path/to/docroot.log
- stop the cron service and web server to stop propagating anything,
- copy your logs including rotated ones to a known safe different machine and parse them using Logwatch for clues (maybe check this for more nfo) ,
- tell us 0) what services are running (web-based management panel, FTP, SSH, web server etc, etc), 1) what software (web log, forum, shopping cart, statistics, etc, etc) including any addons and plugins is running in your web stack and their versions (basically a check for stale and vulnerable software versions), 2) if you or anyone manages the host from a windows machine and 3) if this is a shared host, VPS or a dedicated machine.
* Add any nfo you think would be useful and please be as verbose as possible.
Bookmarks