Apache (?) Updates Removing index.php

nbetcher · November 26, 2008, 2:40am

Hello,
Lately I’ve noticed that my server’s main index.php file is getting moved to index(x+1).php (e.g. index3.php), but the only thing I can link it to is Apache updates. Is there a way to disallow my index.php file from being touched (or any of the Apache htdocs root)? I’ve checked for security concerns, but nothing seems out of the ordinary. Comments? Suggestions?

Thanks, --Nick

Details:

'uname -a':
Linux Server 2.6.22.19-0.1-default #1 SMP 2008-10-14 22:17:43 +0200 i686 athlon i386 GNU/Linux

'cat /etc/SuSE-release':
openSUSE 10.3 (i586)
VERSION = 10.3

'rpm -qa |grep apache':
apache2-example-pages-2.2.4-70.6
apache2-mod_perl-2.0.3-55
apache2-mod_php5-5.2.6-0.4
apache2-2.2.4-70.6
apache2-mod_jk-1.2.21-59.2
apache2-utils-2.2.4-70.6
apache2-mod_python-3.3.1-54
apache2-doc-2.2.4-70.6
apache2-prefork-2.2.4-70.6

'ls -l /srv/www/htdocs/index.php':
-rw-r--r-- 1 wwwrun www 2134 2008-11-23 18:58 index.php

ken_yap · November 26, 2008, 2:56am

index.php isn’t installed by any of the base Apache packages. Apache doesn’t know anything about PHP, PHP is just another loadable module. The PHP package apache2-mod_php5 doesn’t install index.php So you have to look elsewhere other than Apache package updates for the culprit.

nbetcher · November 26, 2008, 3:20am

I haven’t installed any non-OpenSuSE packages ever, so either it’s a package’s script creating an index.php file (not necessarily provided directly as a file in the RPM) or my server is compromised. Any better details or ideas? Thanks for the reply.

ken_yap · November 26, 2008, 3:38am

No idea really. Do you have ftp upload to your server or something that might rename files? Do you have some kind of content management system? What is in the index*.php files? Same thing or some changes? What about the timestamp on the files? Any particular time it happens?

user · November 26, 2008, 3:39am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I’ve installed a SLES server before with the PHP modules and Apache and
never had a PHP script magically show up. If you installed any apps
(SUSE-shipped or otherwise) that are apps that run within Apache with
PHP then maybe those put it there. Otherwise your box is probably
compromised.

Good luck.

nbetcher wrote:
> ken_yap;1900289 Wrote:
>> index.php isn’t installed by any of the base Apache packages. Apache
>> doesn’t know anything about PHP, PHP is just another loadable module.
>> The PHP package apache2-mod_php5 doesn’t install index.php So you have
>> to look elsewhere other than Apache package updates for the culprit.
>
> I haven’t installed any non-OpenSuSE packages ever, so either it’s a
> package’s script creating an index.php file (not necessarily provided
> directly as a file in the RPM) or my server is compromised. Any better
> details or ideas? Thanks for the reply.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJLLbq3s42bA80+9kRAnvmAJsEbI2e5mADkllPwXKeSL1YoOJx3gCfVIwo
mVcO1w5GQ1HEwZB6URtlhgE=
=ejWr
-----END PGP SIGNATURE-----