[TriLUG] cracked shared hosting: what to do?
Kevin Hunter Kesling
hunteke at earlham.edu
Wed Apr 17 12:43:25 EDT 2013
At 12:04pm -0400 Wed, 17 Apr 2013, Alan Porter wrote:
>> * The attacker is changing our .htaccess.
>
> Are you sure that the attacker does not have shell access? Can you
> find logs of SSH connections, console logins, or shell histories?
No, I'm not sure. All I can say is that nothing stands out immediately.
For instance, 'last <username>' only shows my logins, both before and
after an attack (i.e., modification of .htaccess and scripts put in
place), and the bare minimum of looking at the dot files (e.g.,
.bash_history) in $HOME does not show anything promising. Given the
classic multiuser nature of this host (I count roughly 500 /bin/bash
logins via /etc/passwd), I'm not able to look in the system logs.
I will note that the attacker/attack script attempts to cover its tracks
to casual inspection by touching the timestamp of the files it touches
to mimic other files in the same directory. But I don't know the full
lengths the attacking script goes to cover it's tracks. Suffice it say,
I've not yet had an "Aha!" moment.
Thanks,
Kevin
More information about the TriLUG
mailing list