Successful SSH Attack - Need help cleaning up

Matthew Frederico mfrederico at
Tue Oct 31 09:58:55 MST 2006

On 10/30/06, Daniel <teletautala at> wrote:
> On 10/27/06, Ryan Simpkins <plug at> wrote:
> > Secondly, and to back up a bit, how do you know that it was via SSH they
> gained
> > access? Is SSH the only service running on your system?

Sorry to interject - A similar event like this happened to me on a

What I found was that it wasn't an SSH attack, that it was actually a hole
in a program on the webserver - I think it was phpbb - where they were able
to use a crafted query string because safe mode was off in php and
open-basedir was not only allowing for the web user root path.

So I fixed that, got rid of the programs (which incidentally were sending
phishing spam) and hacked the guy back and got all his tools, lists etc.

At any rate, if you are running php, double-check your settings and make
SURE you turn of the url-fopen wrappers -  Those can cause havoc.  Also
double-check you're running in safe mode, and set open basedir settings in
your apache conf per virtual host.

-- Matthew Frederico
Office: (801) 938-4071

More information about the PLUG mailing list