NYCPHP Meetup

[Ajai Khattri]

On Fri, 11 Sep 2009, Randal Rust wrote:

> That's what I was thinking actually. There has to be something
> *somewhere* that would give me an indication of where the issue lies.

Finding the source of a break-in like this can be notoriously difficult. 
Much better to wipe the drive and reinstall using the latest OS and 
software that can run your app (because you have no idea if any system 
binaries have been replaced with trojans).

If the breakin is through an OS vulnerability then keeping it up to date 
will help. Obviously, if it happens again with a up-to-date OS, then its 
possible its a vulnerability in PHP and/or your application code (in which 
case looking at POST requests in logs might help).

I once had an old server that had an IRC process running disguised as a 
regular Apache process. I only figured it out by observing open port 
numbers using netstat and finding the process with lsof. In the end I 
narrowed the problem down to an old component in a Joomla install that 
had a known vulnerability - updating that component fixed the problem.

But servers are constantly fending off brute-force ssh attacks (denyhosts 
is your friend for that kind of crap). These days I switch off all 
unnecessary services and make sure needed services are not exposed to the 
outside (MySQL listening on localhost, Postfix too is its just used for 
sending out, etc). On many systems this might been running a firewall 
with a very locked down configuration (protocol tracking is also my 
friend).


-- 
Aj.