Strange things happening...PHP virus or hacked?

[Guest]

I've had several sites on my server NOT defaced but other things like databases deleted and settings modified.

 

Luckily I perform regular backups so I've rolled back the entire system (lost 3 weeks) and changed all the passwords for critical areas (root, MySQL admin, etc). My clients aren't happy about losing a few weeks of records and neither am I.

 

I've changed PHP to run SuPHP so as to narrow the search a little.

 

Has anyone experienced the same or found how they are getting in? I"m fairly sharp on server security but this one has me pulling my hair out. I'm not a server security expert so I look to the forum members for some pointers.

 

Bobby

[Guest]

have you looked at all the logs? also 'last', check the etc/users for equivalents to root. make sure that root can not logon via ssh, that you have to 'su root' after logon. search for phpexplorer.php

make it so only localhost and not % can assess the files (limits mysql cc unless from specific ip)

[Guest]

have you looked at all the logs?  also 'last', check the etc/users for equivalents to root.  make sure that root can not logon via ssh, that you have to 'su root' after logon.  search for phpexplorer.php

make it so only localhost and not % can assess the files (limits mysql cc unless from specific ip)

<{POST_SNAPBACK}>

Got 'em...weak user password. The SuPHP pinpointed the account within a few hours. I shut him down and installed a strong password enforcer for the rest. hhhmmmm...looks like jailshell isn't as robust as I thought.

[Guest]

http://www.winguides.com/security/password.php

[TCwho]

wow

 

any tips on how to prevent this...

 

I had to use Putty for the first time ever to install phpMyAdmin when installing osC ... so I am very new to all so of the lingo here, but any advice/tips would be helpful