I received several urgent emails from my webhost today saying I was hosting paypal phishing content and to immediately remove it.
Sure enough the content was there. I replaced my domain with *'s but the urls were :
http://***.com/cgi-bin/webscr/?login-dispatch
http://***.com/cmd-confirm/login.php
I killed apache2 and the pages were unretrieveable. After starting it again, they were there again.
I have run updatedb and locate and I have no files or directories anywhere called "webscr" "cmd-confirm" or "login.php"
I have removed all references to cgi-bin in apache2.conf and httpd.conf, sites-enabled/default
server is debian stable, it had been a few weeks since I had run an apt-get update and upgrade.
well I've been looking through access.log and /var/log/messages and can't find the source other than I started getting hits to the login.php and people were unfortunately entering their data I think.
how can I get rid of this? I've run chkrootkit and rkhunter, didn't find anything. what else can I do ? "last" and "w" don't show any logins from anyone but me, but I've changed root and user passwords
this server was running wordpress, mysql, gallery2 I'm guessing this compromise came from one of these
since I kinda freaked out at not being able to find these files apparently served off my server, I just changed apt sources to 'testing' and did a dist-upgrade to make sure I have the latest software, that is currently still running. I still have apache2 down until I figure out where this crap is and remove it
Sure enough the content was there. I replaced my domain with *'s but the urls were :
http://***.com/cgi-bin/webscr/?login-dispatch
http://***.com/cmd-confirm/login.php
I killed apache2 and the pages were unretrieveable. After starting it again, they were there again.
I have run updatedb and locate and I have no files or directories anywhere called "webscr" "cmd-confirm" or "login.php"
I have removed all references to cgi-bin in apache2.conf and httpd.conf, sites-enabled/default
server is debian stable, it had been a few weeks since I had run an apt-get update and upgrade.
well I've been looking through access.log and /var/log/messages and can't find the source other than I started getting hits to the login.php and people were unfortunately entering their data I think.
how can I get rid of this? I've run chkrootkit and rkhunter, didn't find anything. what else can I do ? "last" and "w" don't show any logins from anyone but me, but I've changed root and user passwords
this server was running wordpress, mysql, gallery2 I'm guessing this compromise came from one of these
since I kinda freaked out at not being able to find these files apparently served off my server, I just changed apt sources to 'testing' and did a dist-upgrade to make sure I have the latest software, that is currently still running. I still have apache2 down until I figure out where this crap is and remove it
Facebook
Twitter