[BlueOnyx:10159] Re: Trojans and backdoors?

[webmaster]

This one got me a while back

I found this URL useful

http://www.famousbloggers.net/youve-been-hacked.html

Once I got a handle on what happened I was able to clean it up and lock 
things down


> Hi Darren,
>
>> Our BlueOnyx system seems to have been compromised by some sort of
>> php-based Trojan which is allowing spammers to send spam through the
>> webserver. We're having a hard time tracking it down to a particular
>> virtual site, and shutting off php for all users is not an option -
>> besides the people using WordPress and shopping carts, the SquirrelMail
>> interface breaks when php is shut off.
> Yeah, the logfiles are usually your best bet at finding this. Also check the
> /tmp directory, as a lot of PHP based exploits use a round about to trick a
> vulnerable PHP script into downloading some code from somewhere into /tmp/ and
> then during a second step try to execute that code.
>
> The date and time stamps of such suspicious files in /tmp may give an idea as
> of when the attack happened, making it easier to find the right window of
> action in the logfiles.
>
> Another option that helps at peventing and finding such exploits is to enable
> suPHP.
>
> This is for two reasons: suPHP adds another layer of security which can help
> to limit the effects of such exploits. But even if there is a blaring foul up
> in one of your PHP scripts that still allows undesired access, then the
> exploited scripts run as the user who owns the scripts.
>
> So the exploit files that the attackers managed to download to /tmp are owned
> by the siteAdmin or owner of the script in question, which already directly
> points you to the site in question. Additionally emails sent by those PHP
> scripts show the owner of the script in the header of the emails, which again
> makes finding the culprit a really easy task.
>
> If you want me to take a look, then please email me offlist with the details
> and I'll see what I can do.
>