PDA

Click to See Complete Forum and Search --> : Hacked - pls help

btfans
04-17-2006, 11:50 AM
Hacked - pls help

Dear All,

**** pls excuse me if this was NOT posted to a correct category ****

My phpBB (/var/www/html/phpBB2 running in FC3) wrongly allow 777 and attacked by this hacker
(ip=81.196.**.***)
the /tmp/.666 and /tmp/.lick are invoked continuously seems phpBB is run.

And result in substantial problem on the sh (defunct) (zombie) processes.

I want expert advice:

1) how it is invoked?
2) how to STOP ?
3) now I only deny from the ip for access /var/www/html using .htaccess.

Mathew
Icarus
04-17-2006, 12:21 PM
I removed the lick data as posting exploits is strictly against the posting guidelines and their originating IP because those are usually spoofed anyway (nmap it, I'll bet it's a hacked zombie)

Hopefully someone with knowledge on PHP hacks can shed some light for you.
A couple guesses on stopping it, stop httpd, reboot and/or kill -9 the defunct PID
Wong
04-17-2006, 01:03 PM
First of all if you do not know basic security I suggest you reload the whole OS or hire qualified system administrator to perform audit.

You should disable wget and fetch as attacker use them to download content in most cases.

chmod 000 /usr/bin/wget
chmod 000 /usr/bin/fetch

Install mod_secure, you can obtain it via http://www.modsecurity.org/.

Install http://www.rootkit.nl/, after installing don't forget to run rkhunter --update to update your definitions then run rkhunter -c and carefully monitor the results

Also doing ps -auxw | egrep ("perl|php") and looking for something suspicions is not a bad idea.
btfans
04-19-2006, 01:20 AM
Finally remove the phpBB 2.0.4, and resinatall the new version. - FIXED.
Thank you all for help.