I could find some strange files & folder in the server at the following location:
/usr/local/lp
$ ls
./ ../ apps/ configs/ etc/ htdocs/ jakarta/ libs/ logs/ rpmver/ scripts/ share/ temp/ tmp/ var/
It contains an virtual host configuration file at following location:
$ cat /usr/local/lp/configs/httpd/vhost.conf
# This VirtualHost serves as an access point for monitoring scripts
# and other things used to ensure the well-being of your server.
#
# Please do not remove this VirtualHost entry unless absolutely necessary.
#
# This configuration file is generated from values stored in the file
# '/usr/local/lp/configs/httpd/prefs.cfg'.
#
# To make changes, edit that file and regenerate the VirtualHost by running
# '/usr/local/lp/apps/http/generatelpvhost'.
#
# To make changes outside of the scope of the configuration provided, edit
# the custom include file - '/usr/local/lp/configs/httpd/custom.conf'.
#
# To disable this VirtualHost, touch the following file, and then
# regenerate the VirtualHost:
# /usr/local/lp/var/disablelpvhost
#
# To prevent automated changes to this VirtualHost, touch the following
# file:
# /usr/local/lp/var/staticlpvhost
#
NameVirtualHost X.X.X.X:80
<VirtualHost X.X.X.X>
ServerName servxxxxx.sn.sourcedns.com
ServerAlias www.servxxxxx.sn.sourcedns.com
ServerAdmin webmaster@sourcedns.com
DocumentRoot /usr/local/lp/htdocs/
CustomLog /usr/local/lp/logs/httpd/servxxxxx.sn.sourcedns.com combined
ScriptAlias /cgi-bin/ /usr/local/lp/htdocs/cgi-bin/
User systuser
Group systuser
</VirtualHost>
It seems that it includes all the apache files except the apache binary. The path to this virtual host file has then been included in the main apache configuration file.
It seems that the attacker has got hold of the server root password. Can I make the server safe by just changing the server root password & then deleting the above files ? Has anyone seen something like this before ? Please let me know a solution to this issue...



LinkBack URL
About LinkBacks
Reply With Quote




