-1

I am dealing with a troubling LAMP server which runs Apache 2.2, MySQL 5.1 and PHP 5.2.7 (runs as nobody) and most of its sites using vulnerable versions of known scripts such as Joomla, Wordpress etc.

It's a quite silly approach - which is not in my hands - but since the sites heavily customized in the core, updating their scripts to recent versions is not a solution for the customer but I can't keep this search and destroy mission forever. So, I am hoping to find a way to track newly created files and the source of it like abc.php created by xyz.php

I am sure that the first one is possible but not sure for the second one.

It'd be great if you can share your ideas on this matter.

P.S. : Since there are hundreds of sites, it's quite hard to change the configuration. Although it's the right solution, sadly it's not the solution that I am looking for.

Tim
  • 141
  • 2
  • 6
  • Do you have root access to the system ? – user9517 Apr 09 '13 at 06:20
  • @Andrew I am afraid not because I am asking about tracking files and their sources. It's the only think I need. – Tim Apr 09 '13 at 06:30
  • @lain yes, I have the root access. – Tim Apr 09 '13 at 06:31
  • Thanks for the down vote without reading/understanding by the way. – Tim Apr 09 '13 at 06:32
  • 1
    Tim, I didn't downvote. But a downvote may be because the question isn't a good fit for the format of SF, or because it's offtopic, or because the environment it's describing is unlikely to be of general interest - e.g. because of restrictions in what can be done. It's not a comment on you as a person or your situation. – Jenny D Apr 09 '13 at 10:57
  • 1
    Related: http://security.stackexchange.com/questions/9234/server-compromised-for-2nd-time-cannot-locate-source-of-attack and http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/ – Ladadadada Apr 09 '13 at 11:28

1 Answers1

4

The front door is open in a blizzard, and you're stuck removing snow with tweezers.

There's really not a lot of point in cleanup when you can't actually secure the system. It's a complete waste of your time and effort.

File integrity monitoring tools can tell you what's changed, but unless you resolve the actual security holes, the malicious files will be right back in place as soon as you remove them.

Instead of this pointless struggle, you need better security mechanisms. If you can't update the code, then work to ensure that HTTP requests are safe with something like a web application firewall. Then fight to update the code some more.

But don't just plop a file integrity monitoring tool in place and clean up every time it alerts you - those tools are intended to make sure you don't have a security breach, not to show you how massive your breach is today. You know this system is compromised - get it to a state where it's not, first and foremost.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • The only security issue related with running scripts and I can't point the vulnerable file from hundreds of thousands. That's why, I need to find a way to track which file created by what/who. Then I can working on that firewall. – Tim Apr 09 '13 at 06:29
  • 3
    @Tim - You really should take Shane's advice here. I know you think that you'll have success with a search and destroy strategy but time and time again it has been proven that most effective (both in terms of solving the issue and in terms of resources expended) way to resolve this is to [rebuild the server from backups in a secure manner](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server). If your clients are unwilling to do that you might want to seek new clients. –  Apr 09 '13 at 17:41