httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Ray [Lists]" <>
Subject [users@httpd] I believe I've been compromised.
Date Wed, 06 Sep 2006 04:31:31 GMT
I'm running a SuSE 9.1 server with Apache 2.0.58 and as of last Thursday 
I'm seeing a ton of files created in spots they should be. All created 
by wwwrun (the webserver). I'm finding PHP scripts that are blatantly 
commented with hacker code, _vti_ directories in sites and this server 
doesn't have FP running on it. Cron jobs owned by wwwrun created and I 
can see my maching connected to a strange IP on port 22 which is telling 
me that my machine has opened a ssh connection with their server.

I'm seeing files that execute PHP Shell 1.7 which allows them to execute 
commands via a form.

Has anyone ever run into this kind of problem? I've never really been 
hacked like this before and I keep thinking I have it cleaned up but it 
doesn't appear that way. One script had this in it: Powered By 

I know this maybe be a bit OT but any thoughts or suggestions would be 
greatly helpful and appreciated.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message