Centos 6 Server Hacked - File being generated

Question

I have 3 servers working as a proxy load balance. Someone has gained access to them and is somehow creating an index.html in my webroot containing advertisement and an iframe on my main index.php file.

I'm not sure how they are doing this because even if I delete the index.html file across all of the server I can return half a day later to see that it has been done again.

I noticed that there was a web shell script on the server and deleted it. I also changed sshd_config so that only one user is able to login and all other accounts can't. Somehow they are still accessing the servers and making these changes. History doesn't show anything.

I need to get this resolved ASAP.

Can anyone make any suggestions?

Thanks!

Answer 1

It's very likely the attacker has created some form of backdoor to regain access to your system. In what ways can your server be accessed? SSH would be the most obvious way, so check access logs for anything that looks strange. Check if any accounts have been created. Also check the crontabs for all users, in case something is running that reopens the door for the attacker. Any init script or bootup procedure could also potentially contain harmful stuff.

There's plenty more good advice about things to check in the links and possible duplicate comments posted. If you can't find any trace or explanation, one possibility is that the attacker has gained root access and is able to cover their tracks in a much more effective manner.

At the end of the day, while you can and should certainly try to find out how your servers were compromised (if you have password access to SSH enabled and reachable from the Internet, bruteforcing the password is a fair guess), it's probably going to be hard to ever be 100% certain again that they are clean. Therefore I would personally aim to replace the affected systems as soon as possible, either by restoring backups from sufficiently far back, or by reprovisioning the servers from scratch.