I've been hacked; what to do next?

I went one one of my Mambo/php sites, instead of the usual stuff I found "HaCKeD By BeLa & BodyguarD (Turkish Hackers)". This is a PHP site and and I found a new index.html dated Jan 31.

It looks like they are very busy



This could be just a Mambo PHP hack (not so bad), or a full rookit (very bad). Suspecting a root kit, I installed chkrootkit & it shows:

Checking `lkm'… You have 57 process hidden for ps command

chkproc: Warning: Possible LKM Trojan installed

This does not sound good. I dont know if this is a false positive because of UML or a real rootkit. I have standard Redhat 9 running for 3 years, all passwords are mine an alpha-numeric, firehol is used as the firewall. I'm currently backing up everything using rsync.

So where do I go from here? I have no idea how this was done, they didn't seem to vandalise anything just show their presence. I suppose I will have to start again with a new distro and rebuild from scratch.

2 Replies

Sounds bad. I'd wipe and start over, in your shoes. Not sure you can really trust anything on the system.

I've never seen a UML-caused chkrootkit false positive.

Yep I run a few rootkit scanners when I do a server audit once in awhile I've never gotten a false positive regarding running processes.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct