Linux server hack or maybe not a hack?

K

kitkat+

Senior Member
Joined
Apr 2, 2017
Messages
679
Reaction score
70
Hi Guys

I have a Centos 8 server ( i know it's EOL) , running Apache and PHP. The app running on it is using the Codeigniter framework.

I had the <title> tag of the template.php changed to a "hacked message". Which log files would give me an indication as to when this would have happened?

I also have a suspicion that it might not be an external hack, but possibly someone internally with access to the server, changing the file, is there a way to confirm this?

Thanks
Kitty
 
Last edited:
First is to check the date/time of when the file was changed.
Then check the syslog / ssh logs for a matching time. This will give you a IP address so you can work out if its internal or external.

If the IP is internal then it could be from a external hack, but they connected to another internal server. If its external then this is even more worrying - what else was changed on the server? A backdoor could have been installed.

Save all logs now before anything is overwritten.
Check the firewall logs on the internet facing firewall to match connections to the date/time.

Are the internet facing servers in a DMZ? Are they hardened?

Who all knows the root password to the server? Do you allow remote root access? If yes, then disable this.
Check if any new user accounts were created.
Change all passwords on the server.

Lastly, why why why are you running EOL software on the internet facing web server. Chances are high it's a old vulnerability that was exploited.
 
kitkat+ said:
Hi Guys

I have a Centos 8 server ( i know it's EOL) , running Apache and PHP. The app running on it is using the Codeigniter framework.

I had the <title> tag of the template.php changed to a "hacked message". Which log files would give me an indication as to when this would have happened?

I also have a suspicion that it might not be an external hack, but possibly someone internally with access to the server, changing the file, is there a way to confirm this?

Thanks
Kitty
Click to expand...
If you're running EOL server software then you're likely running an outdated version of Codeigniter, which has known vulnerabilities.

Not really sure why you would want to continue to run the old software but hey, check /var/logs/apache2 and /var/logs/php.log, with some time and given that you actually have logs enabled you should be able to pickup on the script that is being exploited.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X