How do I detect an abused script?

Portal Home > Knowledgebase > Articles Database > How do I detect an abused script?

Posted by albatroz, 06-28-2015, 09:06 PM
One of our customers is becoming the target of several attacks that upload files to their website. Fortunately ConfigServer eXploit Scanner is detecting every new rogue file and puts it in quarantine before it used, however I would like to detect which IPs and which scripts are the target of the attack. Is that possible? If I search into apache logs for the names of the files uploaded will I find what I am looking for?
Posted by tuhostmx, 06-28-2015, 09:56 PM
what about CSF? This is a great tool for it.
Posted by AdroitSSD LLC, 06-28-2015, 11:33 PM
CXS doesnt showing the file uploader username? If you know which user is uploading such script then you can suspend that user.
Posted by wonker, 06-29-2015, 03:17 AM
CXS doesn't find everything. It's a good tool to detect an intrusion on a users account but you still need to clean the whole account. Once a single malicious file is detected the account is already compromised and probably contains everything the hacker needs to get back in. You need to remove all files from public access for that user and only restore non php and non .htaccess files. Any PHP or htaccess files need to be opened and read to make sure they don't contain anything they shouldn't. Last account we fully cleaned was hacked at a previous webhost 5 years before and was never cleaned correctly. Apache logs will tell you if the hacker accessed the admin but not necesseraly when or how he got in.
Posted by sabrina84, 07-04-2015, 02:55 PM
albatroz, Hardening of apache is required and check all folder which is having 777 permission which resides in apache home dir. That will be never ending loop. Kindly harden the apache or ask ISP for hardware firewall. Last edited by Postbox; 07-04-2015 at 09:54 PM.