March 25th, 2012, 11:37 PM
|
|
Contributing User
|
|
Join Date: Jul 2003
Location: Lansing, MI
Posts: 233
Time spent in forums: 1 Day 12 h 10 m 43 sec
Reputation Power: 10
|
|
|
Is this evidence of a hack? HELP!
I am running apache 2.2.4 on a computer in my home and hosting sites for a variety of people. Tonight I did a search for one domain, just to see what kind of search engine results it was getting, and I found something very odd. I have a secure virtual on my server and some shopping carts. Searching for a couple of domains that I own but which have no connection to the secure virtual server, I found Google had links to those sites and the virtual server - and they resolved but with the warning that the server certificate did not match the name on the site. In other words, I own a domain called guymerritt.net - just my name. Google says there is a page at https://www.guymerritt.net/netkwikos2/catalog connected to that site. There shouldn't be - the "netkwikos2" directory is the name of a virtual, secure directory on a site called lowestcostmattressdirect.com. I can't find any weird files in my server, no php files with weird code injected....
I'm not sure if I explained this very well, but, does this sound like some kind of hack? I've turned everything off and my butt is in a crack as I've got businesses running from this.
UPDATE: I DID find one oddball file in my apache cond folder. It was just called "lo" - no file extension. If this had been there, I'd never seen it before. This is about 50% of it - everything ended with a .pem file:
PHP Code:
/usr/share/doc/m2crypto-0.16/tests/dhparams.pem
/usr/share/doc/m2crypto-0.16/tests/dsa.param.pem
/usr/share/doc/m2crypto-0.16/tests/dsa.priv.pem
/usr/share/doc/m2crypto-0.16/tests/dsa.pub.pem
/usr/share/doc/m2crypto-0.16/tests/ec.priv.pem
/usr/share/doc/m2crypto-0.16/tests/ec.pub.pem
/usr/share/doc/m2crypto-0.16/tests/recipient.pem
/usr/share/doc/m2crypto-0.16/tests/recipient_key.pem
/usr/share/doc/m2crypto-0.16/tests/rsa.priv.pem
/usr/share/doc/m2crypto-0.16/tests/rsa.priv2.pem
/usr/share/doc/m2crypto-0.16/tests/rsa.pub.pem
/usr/share/doc/m2crypto-0.16/tests/server.pem
/usr/share/doc/m2crypto-0.16/tests/signer.pem
/usr/share/doc/m2crypto-0.16/tests/signer_key.pem
/usr/share/doc/m2crypto-0.16/tests/x509.pem
/usr/share/doc/perl-IO-Socket-SSL-1.01/certs/client-cert.pem
/usr/share/doc/perl-IO-Socket-SSL-1.01/certs/client-key.pem
/usr/share/doc/perl-IO-Socket-SSL-1.01/certs/my-ca.pem
/usr/share/doc/perl-IO-Socket-SSL-1.01/certs/server-cert.pem
/usr/share/doc/perl-IO-Socket-SSL-1.01/certs/server-key.pem
/usr/share/doc/perl-IO-Socket-SSL-1.01/certs/server-rsa384-dh.pem
/usr/share/doc/perl-IO-Socket-SSL-1.01/certs/test-ca.pem
/usr/share/doc/perl-Net-SSLeay-1.30/examples/server_key.pem
/usr/share/purple/ca-certs/AOL_Member_CA.pem
/usr/share/purple/ca-certs/America_Online_Root_Certification_Authority_1.pem
/usr/share/purple/ca-certs/CAcert_Class3.pem
/usr/share/purple/ca-certs/CAcert_Root.pem
/usr/share/purple/ca-certs/Entrust.net_Secure_Server_CA.pem
/usr/share/purple/ca-certs/Equifax_Secure_CA.pem
/usr/share/purple/ca-certs/Equifax_Secure_Global_eBusiness_CA-1.pem
/usr/share/purple/ca-certs/GTE_CyberTrust_Global_Root.pem
/usr/share/purple/ca-certs/Microsoft_Internet_Authority.pem
/usr/share/purple/ca-certs/Microsoft_Secure_Server_Authority.pem
/usr/share/purple/ca-certs/StartCom_Certification_Authority.pem
/usr/share/purple/ca-certs/StartCom_Free_SSL_CA.pem
/usr/share/purple/ca-certs/Thawte_Premium_Server_CA.pem
/usr/share/purple/ca-certs/VeriSign_Class3_Extended_Validation_CA.pem
/usr/share/purple/ca-certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
/usr/share/purple/ca-certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5_2.pem
/usr/share/purple/ca-certs/VeriSign_International_Server_Class_3_CA.pem
/usr/share/purple/ca-certs/Verisign_Class3_Primary_CA.pem
/usr/share/purple/ca-certs/Verisign_RSA_Secure_Server_CA.pem
Any thoughts/idea would be appreciated.
Last edited by 88guy : March 26th, 2012 at 12:00 AM.
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
