Malicious script found on one node
Posted: Fri Jan 20, 2017 9:18 am
Hello there,
So, I have terminated an user today due to the fact that he/she ran a malicious php/trojan script on one of my vestacp nodes, this said user was able to create a symbolik link under his public_html with the following syntax:
<-- Be aware of such unregistered domain
He was able to see the folders structure on that node (But not able to view the content of each config file or db files)
The scripts I found while going through the apache logs were: http://pastebin.com/wJNXHprE and http://pastebin.com/raw/5S87iwwV however I wasn't able to reproduce it on my own to understand how this works
Has any of you experienced this before?
As far as I was able to investigate/determine, he/she was only able to view the root directory sctructure but not each files content, would there be high security risk that I'm missing here?
Any advice would be greatly appreciated!
So, I have terminated an user today due to the fact that he/she ran a malicious php/trojan script on one of my vestacp nodes, this said user was able to create a symbolik link under his public_html with the following syntax:
Code: Select all
/home/stzztk/web/st4zz.tk/public_html/dm/
Code: Select all
ls -la /home/stzztk/web/st4zz.tk/public_html/dm/
total 12
drwxr-xr-x 2 stzztk stzztk 4096 Feb 19 2016 .
drwxr-xr-x 10 stzztk stzztk 4096 Feb 19 2016 ..
-rw-r--r-- 1 stzztk stzztk 228 Feb 19 2016 .htaccess
lrwxrwxrwx 1 stzztk stzztk 1 Sep 4 18:30 dm.txt -> /
The scripts I found while going through the apache logs were: http://pastebin.com/wJNXHprE and http://pastebin.com/raw/5S87iwwV however I wasn't able to reproduce it on my own to understand how this works
Has any of you experienced this before?
As far as I was able to investigate/determine, he/she was only able to view the root directory sctructure but not each files content, would there be high security risk that I'm missing here?
Any advice would be greatly appreciated!