So I have a server that appears to be compromised. Randomly users visiting any of the sites on the server get redirected to an adult website. Now, I've manually looked through many of the files, and run them through ConfigServer Exploit Scanner, and they are all clean.
Here are things I've done:
1. I've gone through and looked for footprints of the darkleech backdoor according to many different sites that gave info on how to detect. None were found.
2. I've run a couple detectors that look for the CDorked exploit, and they all came back clean.
3. I ran maldetect on the entire system, and it came back clean.
4. I've changed all root and ftp passwords
5. I updated the kernal
6. I ran easyapache
I know the server has to be compromised because these redirects are still happening. Are their any other exploits anyone knows about that maybe I could look for?
I read that the CDorked exploit replaces the http binary. How could I make sure that binary isn't corrupted? If I were to move that binary from another server would that work, or would it crash apache?
Here are things I've done:
1. I've gone through and looked for footprints of the darkleech backdoor according to many different sites that gave info on how to detect. None were found.
2. I've run a couple detectors that look for the CDorked exploit, and they all came back clean.
3. I ran maldetect on the entire system, and it came back clean.
4. I've changed all root and ftp passwords
5. I updated the kernal
6. I ran easyapache
I know the server has to be compromised because these redirects are still happening. Are their any other exploits anyone knows about that maybe I could look for?
I read that the CDorked exploit replaces the http binary. How could I make sure that binary isn't corrupted? If I were to move that binary from another server would that work, or would it crash apache?