httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Muhammad Rizwan <riz...@nixpanel.com>
Subject Re: [users@httpd] I've been hacked, I need some help please...
Date Tue, 15 Mar 2005 13:59:05 GMT

Are you using any hosting control panel?



On Tue, 2005-03-15 at 18:41, Francisco Hidalgo Solá wrote:
> Hi, my apache web server has been hacked and they got
> root access, this is my major concern.
> 
> I have apache-2.0.52 and all my main pages were
> changed to a HTML message written in WORD!!! (that for
> sure says it was a script kiddie)
> I think they got root access since all my log
> directory is gone and they rewrote all index.* files
> from all my filesystem directories with their own
> message, I've found two process running under the user
> "apache", they are "r0nin" and "brk".
> The "who" command shows nothing, so it seems it was
> changed. I've found some info on "r0nin" exploit but
> nothing on "brk", both files are in /var/tmp. There
> are also other files in /var/tmp, they are "dc"
> (executable), b.tgz and edy.tgz.
> As I said before, my major concern is root access. I'm
> almost sure they got in with an insecure PHP script,
> but as I see it (I could be wrong), this shouldn't be
> a major problem, that can run scripts with the
> unprivileged account "apache" but thats all,
> nonetheless they got root access from that
> unprivileged account.
> Any ideas?, I don't know what to do. I've read that
> the r0nin script opens a telnet session in port 1666,
> but this cant be the problem, since this port is
> blocked by the firewall and they would get an
> unprivileged telnet access anyway, right?, I didn't
> find any info about the other scrips, I still have
> them there if you need any other info.
> Thank you very much.
> 
> Francisco
> 
> 
> 	
> 
> 	
> 		
> ___________________________________________________________ 
> 250MB gratis, Antivirus y Antispam 
> Correo Yahoo!, el mejor correo web del mundo 
> http://correo.yahoo.com.ar
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message