Quote:
Originally Posted by LanceBoyles
lftp and snarf are the only other ones I can think of off the top of my head.
Did you remove the vulnerable PHP script? You really should consider rebuilding that box from scratch and restoring from pre-compromise backup in the event that trojaned programs or backdoors were installed that you didn't detect.
The box could not be brought down, since it was a production-machine for my friend, who hosts websites on it. His businesspartner could not be pursuaded to bring the box down while investigating the incident.
Bitter irony... the box died a week later and had some hardware replaced and its OS newly installed... It's clean now...
I tried to close the box as much as I could and in the end I was very happy with the result (and not to mention the enormous amount of "hacker-goodies" that were left behind). A very good learning-experience!
We did remove the PHP-script, which was part of a PHP-Nuke photo-gallery and asked the owner to look for either a non-vulnerable version of find another gallery. Furthermore, my friend started using a firewall on the box itself and uses very strict rules now.
I also created a script that continuously checks if user "httpd" runs any other software than the webserver itself (which is how I found out about the hack in the first place) and this script was very userful in finding other hidden scripts. I must admit that those trojans are cleverly hidden and are a nice piece of work!
Anyway, thanks for the addition to my list!