5

I was using sftp to give access to clients to certain folders so that they could modify their apache virtual hosts as desired. Until someone uploaded a php backdoor and erased all virtual hosts :).

I was wondering if there is a way I can get the ip of the attacker ?

I guess I will see nothing in access.log because most common php backdoors use the system function to execute commands in shell.

schroeder
  • 125,553
  • 55
  • 289
  • 326
opc0de
  • 687
  • 3
  • 7
  • 14
  • 3
    To do disk forensics against your web server you'll want to capture an image of the entire disk as close to the attack as possible. The IP of the uploader and user of the PHP script should both be in your web server logs if they survived the attack. If they didn't it is remotely possible the deleted files are recoverable with forensics / data recovery techniques. – adric May 09 '13 at 23:07

2 Answers2

4

The most important thing to realize is that your server is compromised through and through. While the attacker may not have installed any rootkits or the like, you have no way of knowing. Your only options is to take the system offline and analyze it using an external source. The sooner the better, as otherwise you'll be trampling over any evidence yourself through normal use of the server.

So, essentially, take the server offline, take out the disk, clone it, wipe it down, use backups (if you have them!) to get a usable state back, then start to look at the data on the disk (remember to just examine the data - do not ever boot the system).

If you're lucky, you'll find traces of the attacker left in the web server logs or ftp logs. Depending on the level of access, you might also be able to find something in the auth logs. Obviously, check through any logs the system offers - maybe you'll get lucky.

Fake51
  • 156
  • 2
2

Try setting up Snorby or some other variation of Snort and listen for the network activity on the subnet or network segments in question. You will probably be able to have a pretty good start on some decent network forensics and figure out if it is one or more backdoors and the source/destinations of your ingress/egress.

Tek Tengu
  • 1,699
  • 11
  • 13