Strange Port tracked

hi,

It’s quite new for me to use nginx as the webserver, nginx 0.7.65 + php
/fpm on freebsd, which was installed on Apr 28th, 2010. I configured
the server to listen on Port 80 as seen below.

server {
    listen      80;

My php script will create a folder by domain name each time it detect a
different domain. I saw a strange xxxxx:4511 folder created on Jan 13th,
2011. Also owner of all php files and folders are changed to 1005 . I
double checked /etc/passwd and the max user id there is 1003.

Is it possible that my nginx/phpfpm server is hacked? Please advice!

cheers
Tim

Posted at Nginx Forum:

On 2/19/11 10:45 AM, timknip wrote:

different domain. I saw a strange xxxxx:4511 folder created on Jan 13th,
2011. Also owner of all php files and folders are changed to 1005 . I
double checked /etc/passwd and the max user id there is 1003.

Is it possible that my nginx/phpfpm server is hacked? Please advice!

Yes.

cheers
Tim

Posted at Nginx Forum:
Strange Port tracked


Jim O.

On 19 Fev 2011 15h45 WET, [email protected] wrote:

detect a different domain. I saw a strange xxxxx:4511 folder created
on Jan 13th,
2011. Also owner of all php files and folders are changed to 1005 . I
double checked /etc/passwd and the max user id there is 1003.

Is it possible that my nginx/phpfpm server is hacked? Please
advice!

Yes it is. It depends on a lot of stuff:

  1. Your app and how PHP is configured
  2. Your server setup (SSH and such)

You should consider running an IDS and also a log checking tool.

— appa