Portal Home > Knowledgebase > Articles Database > Worm attack, how can i find and fix the holes
Posted by Ikaros, 01-19-2010, 08:41 AM So my server got attacked once. The worm or whatever it was targeted my most trafficked site on the server and injected some eval php code that was printing malicious javascript code. So i changed ftp password and root password after cleaning up all files from the injected php code and script code. After about 3 days i got attacked again. Now it did a bit less changes on the scripts but added two extra php files with the malicious code on every site's directory. So i guess it was already in and hidden somewhere. On the bottom are the only helpful logs i can find related with the files and the attacker (217.23.121.82). From the files mentioned in the logs: default.php, /static/logo.php, /static/old/logo.php and news.php were created by the worm all the rest are mine. I added the IP on iptables drop but that's not a fix. Anyone can help me? Thanks My info: Linux CentOS 5.4 Kernel: 2.6.18-128.1.10.el5 cPanel 11.24.5-S38506 - WHM 11.24.2 - X 3.9 I have also installed from before the CSF and just installed ClamAV. Thanks in advance
Add to Favourites 
Print this Article
