Fedora phishing hacked

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I am having security problems on a web server hosted on fedora 7 and
cannot for the life of me figure out how they are getting into my

the hacker creates a directory named " " (space) and puts 3 files in
there, a inde.php script and two images. the php script simply
redirects to their server where the phishing page is actually located.
All 3 files are created by the root user and have the +i attribute

i have checked the php.ini config for vulnerabilities and followed
dozens of howto secure your php installation guides. I have also
checked the apache logs but dont see anything suspicious.

Is there a tool that will tell me if I have open ports,
vulnerabilities on the versions I am running? How can I trace the
hackers footsteps.


Re: Fedora phishing hacked

asismorodo wrote:
Quoted text here. Click to load it

To check for open ports use netstat or lsof (from inside the server) or nmap
(from outside the server).

Quoted text here. Click to load it

Maybe CVE: http://cve.mitre.org /
Note that the intruders may be using an unreported vulnerability.

Quoted text here. Click to load it

(Crackers, not hackers.)

Without more details on your setup it is difficult to give more than general
advices, and you probably already done those but here they are anyway.

- If the cracker keeps getting in then you may have a root kit in your
system. Use rkhunter and chkrootkit to check for the presence of a root kit.

- Do you have an intrusion detection system installed? Check for system

- Use the package manager to check the packages' integrity.

- Check the logs, in particular /var/log/auth.log and HTTP logs.

Note that any/all files in your system may have been compromised. Your logs
may have been altered, security related binaries may have been altered, the
kernel may have been altered, kernel modules may have been altered, etc.

Because of this, a proper security analysis can't been done in a live
system. Either you clone the system and do a off line analysis on the clone
or you put the system off line and use another system (e.g. Live CD) to do
the analysis


Re: Fedora phishing hacked

Quoted text here. Click to load it

You are now six major releases behind the Fedora leading edge, and
Fedora 7 is now obsoleted. Good luck keeping that up to date: It's
time to replace the system with a clean new install.

What you do depends on what you want to accomplish. Certainly
reporting the phishing site to the ISP that hosts the sites might help
slow them down, and also might help get the police on their tail. But
to stoop the abuse now, you need to back that machine up, make a
complete image of it, and do a complete replacement with a newer OS,
ideally Fedora 13. Fedora is years old:

Site Timeline