One of my clients has had a server hacked. I was never responsible for their network security, I just write code for them, but now it's my job to find out what happened and fix it.
Basically they got in through a hole in some 3rd party php code, which allowed them to upload some more php, which allowed them to run programs. One of these was called 'w00t' and is a large peice of software with unknown function. It is not currently running. The other is a smaller bit of code called 'r0nin' which is the Psycophobia backdoor. Psycophobia are a hacker group.
When I kill it (the backdoor), it disappears from the process list, but I am still able to connect to the shell. When I connect to the shell the backdoor process reappears in the process list.
Why? How?
It could be a rootkit I guess, but if they used a sophisticated rootkit, why allow us to see the backdoor process at all? Why allow us to see that it is bound to port 1666? And why leave obvious trails all over the place? The logs weren't even cleared. It just smells like an amateur job to me.
It could be another process watching the backdoor process and restarting it, but I don't think they have access to any other user but the webserver user, and that is only running a handful of processes, none of which look suspicious. Except for the backdoor one of course.
Any ideas?
Basically they got in through a hole in some 3rd party php code, which allowed them to upload some more php, which allowed them to run programs. One of these was called 'w00t' and is a large peice of software with unknown function. It is not currently running. The other is a smaller bit of code called 'r0nin' which is the Psycophobia backdoor. Psycophobia are a hacker group.
When I kill it (the backdoor), it disappears from the process list, but I am still able to connect to the shell. When I connect to the shell the backdoor process reappears in the process list.
Why? How?
It could be a rootkit I guess, but if they used a sophisticated rootkit, why allow us to see the backdoor process at all? Why allow us to see that it is bound to port 1666? And why leave obvious trails all over the place? The logs weren't even cleared. It just smells like an amateur job to me.
It could be another process watching the backdoor process and restarting it, but I don't think they have access to any other user but the webserver user, and that is only running a handful of processes, none of which look suspicious. Except for the backdoor one of course.
Any ideas?
Facebook
Twitter