RE: [cobalt-users] Hackers are coming through PHP/PHPnuke

["Ligard, Vidar" <vligard@xxxxxxxxx>]

>            Our one of the Cobalt raq4r server where the sites 
> are maximux developed with  php/phpnuke, are being hacked 
> again and again. We recently re-install the OS and everything 
>  from the scratch. But again this hackers hacked few sites 
> yesterday... 
> 
>            They are entering as *httpd* user.  Can anyone 
> suggest what are the patches we need to put for 
> phpnuke/php.... These hackers seem they are entering through 
> this two culprits only and changing the index.html/.htm/.php  
> files and puttting their one line code in this file which is 
> showing that they have
> hacked the site.. Out php version is *PHP 4.3.4*   and 
> phpnuke 6.5 but  
> few sites are 6.9
> 
There are basically three ways I can think of that they could be coming in.

1. If there is any service/applications not patched up, like an older version of apache installed, etc.

2. You can be all patched up, and it still possible to leave holes open in your applications. If you have any cgi, asp, php or any other server-side scripts enabled, these may introduce vulnerabilities if they are not written correctly. Scripts _especially_ vulnerable are those that allow you to upload anything to the server.

3. Compromised passwords. If you are using ftp to change your sites, passwords and usernames are being transmitted in the open across the internet. If you know they are coming in as httpd, this is likely not the source - although it is a possible they are changing the owner of the files to httpd to make you think they came in as httpd. I would definitely change your password(s) to eliminate this one.


I would look at the timestamps of all the files that are changed, or try to find out when the compromise happened. Then go through log files and see if you can find anything suspicious around the time of compromise.

Hopefully this gives you some ideas of where to look.
Vidar