No, we don't offer Fantastico.
@Davedark: we still not sure how to got in. It was a simple defacement (the server itself was not comprimised) but in the logs there's no clue pointing to what they did (or which account is used to inject a php-shell for example).
Because together we know more
I will share some findings, perhaps one of you has a clue:
- Somehow they scanned some accounts on world-writable directories. In these directories they placed a index.html. By most accounts this was done only to one of the subdirectories, like admin, images or sortlike.
- The structure of the index.html was very simple, no HTML-tags were used, it was a one-liner. The owner was nobody, which indicates that it was done through PHP (Perl would give the 'user' ownership).
- Because of the simplicity of the index.html I expect they didn't downloaded it (wget is disabled for non-wheel users) but used something like 'echo "Hacked By FataLStyLe / [
www.sniper-forum.org] [
www.holysecurity.org] msn:
[email protected]" > /homedir/index.html'
Since the file had 'nobody' as user, I expect PHP to be used (phpshell?), but since we have an openbase-dir in place, this doesn't make any sense. The only way to come around openbasedir is to attack the main account of the server (which points to /var/www).
Again: haven't found anything in the logfiles yet. Since the timeline matches up, I don't expect them to been able to alter the logfiles (the defacement itself was basic, this would implicated much more knowledge and access on our server).
If they injected some malicious PHP-code they must have used POST, since that's much harder to track in your logfiles.
Perhaps to got into a Joomla-site and uploaded some code, perhaps they found a flaw in some application, we're not sure.
Any suggestion is appreciated!
