Hacked - SOLVED!
Hello!
Generally server is fine but Today i found some scripts uploaded to the one fo the users directory.
As i understand, someone (I will call him atacker) has uploaded to the jumla's administrator templates directory some php script, encoded by base64 this script generates another perl script with some extension.
with htaccess atacker override basic rules:
htaccess:
another htaccess:
and run perl script.
System:
Centos 5.5 - Kernel updated
Apache 2.2.1x (dont remember, has updated)
PHP 5.2.x - disabled all exec, shell_exec and others
mod_ruid2
CSF
Perl - cgi disabled for all users
openbase directory - on
safe mode -off
any ideas, how to prevent perl scripts running when CGI in da is off?
Hello!
Generally server is fine but Today i found some scripts uploaded to the one fo the users directory.
As i understand, someone (I will call him atacker) has uploaded to the jumla's administrator templates directory some php script, encoded by base64 this script generates another perl script with some extension.
with htaccess atacker override basic rules:
htaccess:
Code:
Options FollowSymLinks MultiViews Indexes ExecCGI
AddType application/x-httpd-cgi .evil
AddHandler cgi-script .evil
AddHandler cgi-script .evil
another htaccess:
Code:
#Options FollowSymLinks MultiViews Indexes ExecCGI
AddType application/x-httpd-cgi .izri
AddHandler cgi-script .pl
AddHandler cgi-script .pl
and run perl script.
System:
Centos 5.5 - Kernel updated
Apache 2.2.1x (dont remember, has updated)
PHP 5.2.x - disabled all exec, shell_exec and others
mod_ruid2
CSF
Perl - cgi disabled for all users
openbase directory - on
safe mode -off
any ideas, how to prevent perl scripts running when CGI in da is off?
Last edited: