Symbolic link to root

nealdxmhost

nealdxmhost

Verified User
Joined
Jan 1, 2009
Messages
232
Location
Los Angeles CA
While searching for corrupt php files on one of the servers I came across this after the scan went into an infinite loop
/home/some_user/public_html/wp-content/themes/twentyeleven/Indishell

Code: 
[root@da603 Indishell]# pwd
/home/some_user/public_html/wp-content/themes/twentyeleven/Indishell
[root@da603 Indishell]# ^C
[root@da603 Indishell]# ls -l
total 0
lrwxrwxrwx. 1 some_user some_user 1 Jul 20  2014 root -> /
[root@da603 Indishell]#

Then I attempted to do this and got the following and needless to say I thought better of it.
Code: 
[root@da603 Indishell]# rm -fr root/
rm: it is dangerous to operate recursively on `root' (same as `/')
rm: use --no-preserve-root to override this failsafe

Thank goodness it spit out the warning it did. But needless to say something is not right with this particular user account and maybe the server.

A little bit of checking on Google shows this is some kind of hack from a group based in India

Any advice, thought, ideas...??????????
 
As the best advise is to reinstall the server, because user should not be able to issue root commands, I can imagine that's not what you want.

Best thing to do is at least use something like mod_ruid on the servers.
Next to that, install and configure Maldetect (click) and have it scan all /home directory's to see if there are more issues.
There is a big chance this hacktool also generated a php.ini, check those.

Normally twentyeleven is a default and safe theme. So there is a good chance that the hackers put this file in via another way or another directory.
There is also a possibility they hacked the customers ftp password or got to it via malware on the customers pc.
Another way is to abuse a leak plugin which allows shell upload like wp-business-intelligence plugin version 1.0.6. Customer could be using leak scripts, happens often.
 
Last edited:
Thanks Richard,

I was able to remove the symbolic link this morning without incident after doing some research.

Maldet is already installed on the server and I am running another scan now to see if there are anymore surprises.

I will need to check and see if Jeff had compiled the server with mod_ruid which I am pretty sure he did if I know how he did things plus the fact he had suggested it to me about five years ago when I was having a problem with one of my servers.

<BTW> I am back to working days now
 
You're welcome Neal.

Depending on the available resources and such, it might also be wise to install clamav via custombuild and let it check ftp uploads. However, this could slow down ftp uploadspeed, so that's something to look into.
 
Richard G said:
You're welcome Neal.

Depending on the available resources and such, it might also be wise to install clamav via custombuild and let it check ftp uploads. However, this could slow down ftp uploadspeed, so that's something to look into.
Click to expand...

Good point. I know that ClamAV is already installed but not sure if it is tied into FTP or not at this point.

I hate when this crap happens though as it eats up so much of my day having to go through everything.
 
You must log in or register to reply here.
Back
Top