Find the source of malware?

Posted by Jud Stephenson on Server Fault See other posts from Server Fault or by Jud Stephenson
Published on 2010-06-08T00:02:06Z Indexed on 2010/06/08 0:12 UTC
Read the original article Hit count: 628

Filed under:
|
|
|

I have a server that was running an older version of lighttpd (1.4.19 on a freebsd 6.2-RELEASE (yea, old) machine) and google alerted me that it had found malware embedded on one of my server's pages. It just so happened to be our index page. I promptly removed the malware and started looking at server logs for how it got there. With no trace in any of the logs of the files being edited, I noticed that the index page's owner had been changed to www, which is the lighttpd user. I then concluded that some sort of veunerability must have existed for that software version and promptly upgraded to 1.4.26.

Now the malware is back. I have started some pretty verbose server logging with ftp, lighttpd, and all login attempts to try and see how this script is getting in. Are their any suggestions as to other approaches to take?

© Server Fault or respective owner

Related posts about security

Related posts about freebsd