[Cialug] URGENT! How to list all files new/modified last 24 hours

[Afan Pasalic]

The server is already off. Only I have access by ssh.

I was lucky it happened while I was working on the server. Then hit the arrow key in terminal, to repeat the last command it showed something I didn't use. By hitting few more times I saw stuff I never used and also I saw where they planted shv5.zip, unzipped it and set it up.
I called the hosting company to shut it down immediately. But, in meantime they changed every index.php file to their own index file with "Anonymous" message, proclamation and other shit. On all my websites.

Looks like they got in through my old website I coded myself. They found the hole.
I talked to tech support and the guy said they got in through FTP but I doubt it.

I'm downloading all stuff on my local computer and have to let them to clean everything, clean instal, everything from scratch. 

I don't know how to save emails because he said he has to delete all email too :(

Any idea how to save emails even as simple text files, to have access later to the content?


On Oct 26, 2012, at 11:02 AM, Nicolai wrote:

> On Fri, Oct 26, 2012 at 09:24:53AM -0500, Matthew Nuzum wrote:
>> I would strongly suggest taking the server off line, backing up critical
>> files and restoring it clean and patched. I've been in your shoes, trying
>> to find and fix a security breach is like playing whack a mole and you
>> never have full confidence that you have it truly secure.
> 
> I second this, and I'd like to add that OP should consider replacing
> some software with secure alternatives that don't require regular
> patching and panic.
> 
> Afan, what software do you think was the culprit?  Also, what leads you
> to believe your machine was compromised?
> 
> Nicolai
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug