0

This morning i found movies inside my server (debian VPS, apache,webmin/virtualmin), files are located in /var/log/roundcube/./ and the user/group is www-data

I looked in my log (apache,proftp,auth) and i didn t found weird lines. rkhunter found nothing bad.

how can i check the history of a file (in hidden folder) or the way that the user uploaded movies in this folder.

i guess it s a backdoor but when i scan my website i found nothing bad.

i think i ll cut my website for a while and see if there is new movies in folder, if yes it means that the user have ftp/ssh access or that the backdoor is not in my var/www/

Thanks by advance

ggg
  • 101

1 Answers1

1

Given the location of the files and the ownership I would assume that the attacker got in through a vulnerability in Roundcube and then uploaded the files. The best way to really go around this is to run a stat command on the files (stat movie.avi) and see when the file was actually uploaded. After you get the timestamp, you should check the Apache logs for that time frame to see how the attacker got in. rkhunter wouldn't find anything as this is not the actual OS being compromised, most likely it's using a vulnerability in Roundcube. Also, to make sure this doesn't happen again, you should upgrade Roundcube and disable shell_exec, allow_url_fopen, allow_url_include if at all possible.

Mugurel
  • 923