Hacked

**4hosted** · 09-27-2007 03:00 PM

Hi, recently hacked from 1 (1) tiny php script... unbelievable.

Anyway when trying to restart apache it starts like the following :

/usr/local/apache/bin/httpd -k start
/usr/local/apache/bin/httpd -k start

now im guessing this is wrong and part of the hack... could anyone help me find out how this is happening,

also our php.ini was redirecting to ZEND folder which is unusual as before it was /usr/local/lib/php

**AndyReed** · 09-27-2007 08:59 PM

Originally Posted by 4hosted

Anyway when trying to restart apache it starts like the following :

/usr/local/apache/bin/httpd -k start
/usr/local/apache/bin/httpd -k start

Do you have chkrootkit and rkhunter installed on your server? If not, you need to install, configure and run these two applications to get a report of the damage done on your server. Overall, you need to clean up your server, secure and harden your server. There are many threads in these forums discuss server security.

**serversphere** · 09-27-2007 10:48 PM

The first part is weird, because httpd doesn't have a -k option associated with it, from what I'm familiar with. Is that what you are typing to try and restart it?

The Zend redirect is most likely because Zend Optimizer was installed on the system. It redirects php.ini to it's own version.

What has happened to lead you to believe you were hacked? As Servertune suggested, try installing a rootkit sniffer and see what results you get.

**mtindor** · 09-27-2007 11:12 PM

Originally Posted by serversphere

The first part is weird, because httpd doesn't have a -k option associated with it, from what I'm familiar with. Is that what you are typing to try and restart it?

The Zend redirect is most likely because Zend Optimizer was installed on the system. It redirects php.ini to it's own version.

What has happened to lead you to believe you were hacked? As Servertune suggested, try installing a rootkit sniffer and see what results you get.

Its probably a process that is showing up as httpd in a PS because of the way the perpetrator set it up to do so. He'll have to do an lsof to figure out what it really is.

M

**S-Combs** · 09-28-2007 05:56 AM

Seems the box was recently upgraded and not hacked.

Originally Posted by serversphere

The first part is weird, because httpd doesn't have a -k option associated with it, from what I'm familiar with.

httpd -h
Usage: /usr/local/apache/bin/httpd [-D name] [-d directory] [-f file]
[-C "directive"] [-c "directive"]
[-k start|restart|graceful|graceful-stop|stop]
[-v] [-V] [-h] [-l] [-L] [-t] [-S]
Options:
-D name : define a name for use in <IfDefine name> directives
-d directory : specify an alternate initial ServerRoot
-f file : specify an alternate ServerConfigFile
-C "directive" : process directive before reading config files
-c "directive" : process directive after reading config files
-e level : show startup errors of level (see LogLevel)
-E file : log startup errors to file
-v : show version number
-V : show compile settings
-h : list available command line options (this page)
-l : list compiled in modules
-L : list available configuration directives
-t -D DUMP_VHOSTS : show parsed settings (currently only vhost settings)
-S : a synonym for -t -D DUMP_VHOSTS
-t -D DUMP_MODULES : show all loaded modules
-M : a synonym for -t -D DUMP_MODULES
-t : run syntax check for config files

**serversphere** · 09-28-2007 06:38 AM

Originally Posted by S-Combs

[-k start|restart|graceful|graceful-stop|stop]

Thanks! Apache 2 perhaps? Never used -k, I always use apachectl. In any event I don't see anything to indicate a machine was hacked. I think we need more info.

**cPanelTodd** · 09-28-2007 07:35 AM

Apache 2.x uses '/usr/local/apache/bin/httpd -k start' or 'httpd -k start -DSSL' (apachectl calls this so no one would really notice a difference as it's automatically called from the init scripts)

If you are seeing this, you or someone else has upgraded apache to 2.0 or 2.2. This is no reason to think the system was hacked. If a system was hacked you would see processes going crazy, weird errors, etc.

**4hosted** · 09-28-2007 09:35 AM

Sorry your correct, it was because i rebuilt apache.

We were hacked by the c99.php script, it seemed to defunct our httpd.conf 443 lines.

I never noticed the apache rollback function which is in all honesty a complete godsend!!

i messed about for 8 hours trying to fix the httpd.conf and php.ini, rebuilding apache, using rebuildhttpdconf, everything, when this simple option, if i had noticed it earlier, would have made it a 10 second job.

i ran rkhunter and although it never found anything (thankfully) i reformatted anyway.. just incase.

**cPanelTodd** · 09-28-2007 09:43 AM

c99shell can definitely create problems.

You might want to look into running mod_security to stop php shells from gaining access or running commands.

**4hosted** · 09-28-2007 10:16 AM

Thanks Todd

**Frank Broughton** · 09-28-2007 11:38 AM

Originally Posted by cPanelTodd

c99shell can definitely create problems.

You might want to look into running mod_security to stop php shells from gaining access or running commands.

Any suggested rules Todd?

**cPanelTodd** · 09-28-2007 11:51 AM

gotroot.com has a great set of rules, however these aren't specific to cpanel servers.

The specific ruleset I recommend is http://www.gotroot.com/downloads/ftp.../rootkits.conf

These rules are for modsec2, and the rules within there should be good enough to stop most php shell attacks.

I also recommend the rules in http://www.gotroot.com/downloads/ftp...he2/rules.conf but be cautious when enabling these as they might interfere with custom applications that you may be using.

LinkBack

Thread Tools

Hacked

Have I been hacked?

Did I just get hacked?

hacked need help

Getting hacked!

Hacked Help Me Please =*(