Look for any outbound port 80 connections with:
lsof -i :80
You will see your own apache server in that list too, but keep an eye for other stuff.
usually, attacks like this are very obvious in the output of:
ps faux
#Connect to this using websockets on port 9454 | |
#Send in the format of {"data":[1,2,3]} | |
#The ppp returns the standard deviation of the sent array | |
library(jsonlite) | |
library(httpuv) | |
#server | |
app <- list( | |
onWSOpen = function(ws) { | |
ws$onMessage(function(binary, message) { | |
write(message, file = "log.txt",append = TRUE, sep = "\n") |
sudo dnf install cairo-devel | |
install.packages("Rserve") | |
install.packages("Cairo") | |
install.packages("MASS") | |
install.packages("stringr") | |
install.packages("ggplot2") |
>>> import os, psutil | |
>>> psutil.Process(os.getpid()).get_memory_info().rss / 1e6 | |
20.324352 | |
>>> %time import numpy | |
CPU times: user 1.95 s, sys: 1.3 s, total: 3.25 s | |
Wall time: 530 ms | |
>>> psutil.Process(os.getpid()).get_memory_info().rss / 1e6 | |
349.507584 |
#These two lines were missing from my /etc/nginx/fastcgi_params, make sure they are there! | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_param PATH_INFO $fastcgi_script_name; |
#source | |
innobackupex --user=root --password=root /www/DB-BACKUP | |
#destination | |
scp root@server:/www/DB-BACKUP /tmp | |
innobackupex --apply-log --ibbackup=xtrabackup /tmp/DB-BACKUP/2015-09-16_12-05-39/ | |
innobackupex --copy-back /tmp/DB-BACKUP/2015-09-16_12-05-39/ | |
rm /var/lib/mysql-new/ib_logfile1 | |
rm /var/lib/mysql-new/ib_logfile0 |
# in wp-config.php | |
define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST'] . '/recipedia'); | |
define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST'] . '/recipedia'); | |
$_SERVER['REQUEST_URI'] = '/recipedia' . $_SERVER['REQUEST_URI']; | |
#in nginx config | |
location /recipedia/ { | |
proxy_pass http://127.0.0.1:85/; |
aws s3api --profile redcarpetup_media list-objects --bucket media.chefatlarge.in --output json --query "[sum(Contents[].Size), length(Contents[])]" | awk 'NR!=2 {print $0;next} NR==2 {print $0/1024/1024/1024" GB"}' |
Look for any outbound port 80 connections with:
lsof -i :80
You will see your own apache server in that list too, but keep an eye for other stuff.
usually, attacks like this are very obvious in the output of:
ps faux
sudo apt-get install build-essential libreadline-dev libssl-dev zlib1g-dev libxml2-dev libxslt-dev git libpq-dev libmysqlclient-dev libpq-dev nodejs libcurl4-openssl-dev libffi-dev imagemagick libjpeg-progs pngcrush cmake qt4-qmake libqt4-dev sni-qt | |
wget https://www.python.org/ftp/python/2.7.8/Python-2.7.8.tgz | |
tar zxvof Python-2.7.8.tgz | |
cd Python-2.7.8 | |
./configure --prefix=$PWD/release --enable-shared --enable-unicode=ucs2 LDFLAGS=-Wl,-rpath=$PWD/release/lib | |
make | |
make install | |
#your new python is in Python-2.7.8/release/bin/python |