Topic: Sending SPAM

[EdelingF]

Found something:

Code: [Select]

[root@server01 ~]# cd /opt
[root@server01 opt]# clamscan -r -i
LibClamAV Warning: ******************************************************
LibClamAV Warning: ***      Virus database timestamp in the future!   ***
LibClamAV Warning: ***  Please check the timezone and clock settings  ***
LibClamAV Warning: ******************************************************
/opt/auction/administrator/backups/backup_2012-02-05_19-52_www.argyleauctionroom                                                                             s.co.uk-sql-nodrop.tar: PHP.Remoteadmin-1 FOUND
/opt/auction/wp-content/gallery/theme/argyle_3.php: PHP.IRCBot-4 FOUND
/opt/auction/wp-content/gallery/theme/argyle_1.php: PHP.Shell-22 FOUND
/opt/auction/wp-content/gallery/theme/thumbs.php: PHP.Bot-6 FOUND
/opt/CaC/wp-content/gallery/.i/xh: Linux.Rst.A FOUND
But, still scanning.....

[CharlieBrady]

Disable PHP, and don't enable it again until you havae cleaned up all, and set correct directory and file permissions so that 'www' cannot modify code files.

Distrust anything which is writable by 'www'.

Never use 777 permissions.

Check for latest versions of all your applications.

[EdelingF]

Stupid question, but how do I disable PHP?

[chris burnat]

Stupid question, but how do I disable PHP?

This may help: http://www.wallpaperama.com/forums/how-to-disable-php-globally-linux-unix-shell-command-prompt-t341.html

[janet]

EdelingF

...how do I disable PHP?

One way is:
config setprop php status disabled
signal-event post-upgrade
signal-event reboot

It may have ramifications on other things that rely on php, but it is only temporary while you clean up the infection etc.

[mmccarn]

I found this post from someone else who found "PHP.Shell-22" in his wordpress:
http://www.linuxquestions.org/questions/linux-security-4/server-hacked-i-think-i-fixed-it-but-not-sure-930346/

Also, I did do a nessus scan of all of the hostnames you emailed me, which only reported one "low severity" issue:

www.argyleauctionrooms.co.uk:
Synopsis:
Some CGIs are candidate for extended injection tests.



Description
:
Nessus was able to to inject innocuous strings into CGI parameters and read them back in the HTTP response.

The affected parameters are candidates for extended injection tests like cross-site scripting attacks. 



This is not a weakness per se, the main purpose of this test is to speed up other scripts. The results may be useful for a human pen-tester.



Solution:

n/a



Risk Factor:
Low

[CharlieBrady]

I found this post from someone else who found "PHP.Shell-22" in his wordpress:
http://www.linuxquestions.org/questions/linux-security-4/server-hacked-i-think-i-fixed-it-but-not-sure-930346/

There's lots of excellent information there. It's highly likely that OP's problem is due to a poorly-configured wordpress installation (code files and directories writable by www user), plus multiple vulnerabilities within wordpress itself.