[BlueOnyx:10157] Re: Trojans and backdoors?

[Michael Stauber]

Hi Darren,

> Our BlueOnyx system seems to have been compromised by some sort of
> php-based Trojan which is allowing spammers to send spam through the
> webserver. We're having a hard time tracking it down to a particular
> virtual site, and shutting off php for all users is not an option -
> besides the people using WordPress and shopping carts, the SquirrelMail
> interface breaks when php is shut off.

Yeah, the logfiles are usually your best bet at finding this. Also check the 
/tmp directory, as a lot of PHP based exploits use a round about to trick a 
vulnerable PHP script into downloading some code from somewhere into /tmp/ and 
then during a second step try to execute that code.

The date and time stamps of such suspicious files in /tmp may give an idea as 
of when the attack happened, making it easier to find the right window of 
action in the logfiles.

Another option that helps at peventing and finding such exploits is to enable 
suPHP. 

This is for two reasons: suPHP adds another layer of security which can help 
to limit the effects of such exploits. But even if there is a blaring foul up 
in one of your PHP scripts that still allows undesired access, then the 
exploited scripts run as the user who owns the scripts. 

So the exploit files that the attackers managed to download to /tmp are owned 
by the siteAdmin or owner of the script in question, which already directly 
points you to the site in question. Additionally emails sent by those PHP 
scripts show the owner of the script in the header of the emails, which again 
makes finding the culprit a really easy task.

If you want me to take a look, then please email me offlist with the details 
and I'll see what I can do.

-- 
With best regards

Michael Stauber