URL Injection or Root Kit Detection on your Linux Server

Internet Data Center Managed Services Network Security Infrastructure management Application/Web Development

Support Center » Knowledgebase » URL Injection or Root Kit Detection on your Linux Server

	URL Injection or Root Kit Detection on your Linux Server

Solution NOTES:

URL Injection attacks typically mean the server for which the IP address of the attacker is bound is a compromised server.

Please check the server behind the IP address above for suspicious files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox, /var/spool/squid, and /var/spool/cron Please use "ls -lab" for checking directories as sometimes compromised servers will have hidden files that a regular "ls" will not show.

Please also check the process tree (ps -efl or ps -auwx) for suspicious processes; often times the malware / hack pretends to be an Apache process.

Clam Anti-virus, clamscan, can also be used to find commonly used PHP and Perl-based hacks, including various php shells, on a server using the “--infected” and “--recursive” options.

You may also want to check out using root kit detection tools - http://www.chkrootkit.org/, http://www.rootkit.nl/, and http:// http://www.ossec.net/en/rootcheck.html as tools which should be used in addition to checking the directories and process tree.

### EOF NOTES ###

Please take appropriate action to stop these attacks from happening.

Thank you very much for your time.

________________________________________________

Support and Customer Care Department
IH Systems Inc.
Helping companies do business on the Net
10 N Martingale Rd
Schaumburg, IL 60173
Web: http://www.ihsystem.com

Article Details

Article ID:

Created On:

20 Feb 2010 05:33 PM