Malicious script found on one node
Malicious script found on one node
Hello there,
So, I have terminated an user today due to the fact that he/she ran a malicious php/trojan script on one of my vestacp nodes, this said user was able to create a symbolik link under his public_html with the following syntax:
<-- Be aware of such unregistered domain
He was able to see the folders structure on that node (But not able to view the content of each config file or db files)
The scripts I found while going through the apache logs were: http://pastebin.com/wJNXHprE and http://pastebin.com/raw/5S87iwwV however I wasn't able to reproduce it on my own to understand how this works
Has any of you experienced this before?
As far as I was able to investigate/determine, he/she was only able to view the root directory sctructure but not each files content, would there be high security risk that I'm missing here?
Any advice would be greatly appreciated!
So, I have terminated an user today due to the fact that he/she ran a malicious php/trojan script on one of my vestacp nodes, this said user was able to create a symbolik link under his public_html with the following syntax:
Code: Select all
/home/stzztk/web/st4zz.tk/public_html/dm/Code: Select all
ls -la /home/stzztk/web/st4zz.tk/public_html/dm/
total 12
drwxr-xr-x 2 stzztk stzztk 4096 Feb 19 2016 .
drwxr-xr-x 10 stzztk stzztk 4096 Feb 19 2016 ..
-rw-r--r-- 1 stzztk stzztk 228 Feb 19 2016 .htaccess
lrwxrwxrwx 1 stzztk stzztk 1 Sep 4 18:30 dm.txt -> /The scripts I found while going through the apache logs were: http://pastebin.com/wJNXHprE and http://pastebin.com/raw/5S87iwwV however I wasn't able to reproduce it on my own to understand how this works
Has any of you experienced this before?
As far as I was able to investigate/determine, he/she was only able to view the root directory sctructure but not each files content, would there be high security risk that I'm missing here?
Any advice would be greatly appreciated!
-
mehargags
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Malicious script found on one node
pretty common to have a php-shell trojan script these days if you run an outdated Wordpress or use shady, not verified plugins. These scripts are backdoor-agents and open a remote host forming a bridge for the attacker and then shell commands are passed through it.
Maldet your whole server and also make sure to check other websites of the same VestaCP user, the shell access "crawls" through the file system and replicates itself with various names: backup.php/article.php/email.php or similar. Please double check your basedir setting, Newer VestaCP restricts every site to its own public_html, the older sites configured have access to "user" dir.
You can also upload site's zip (without images) to virustotal.com and scan it for any malicious inclusions.
Maldet your whole server and also make sure to check other websites of the same VestaCP user, the shell access "crawls" through the file system and replicates itself with various names: backup.php/article.php/email.php or similar. Please double check your basedir setting, Newer VestaCP restricts every site to its own public_html, the older sites configured have access to "user" dir.
You can also upload site's zip (without images) to virustotal.com and scan it for any malicious inclusions.