httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francisco Hidalgo Solá <>
Subject [users@httpd] I've been hacked, I need some help please...
Date Tue, 15 Mar 2005 13:41:57 GMT
Hi, my apache web server has been hacked and they got
root access, this is my major concern.

I have apache-2.0.52 and all my main pages were
changed to a HTML message written in WORD!!! (that for
sure says it was a script kiddie)
I think they got root access since all my log
directory is gone and they rewrote all index.* files
from all my filesystem directories with their own
message, I've found two process running under the user
"apache", they are "r0nin" and "brk".
The "who" command shows nothing, so it seems it was
changed. I've found some info on "r0nin" exploit but
nothing on "brk", both files are in /var/tmp. There
are also other files in /var/tmp, they are "dc"
(executable), b.tgz and edy.tgz.
As I said before, my major concern is root access. I'm
almost sure they got in with an insecure PHP script,
but as I see it (I could be wrong), this shouldn't be
a major problem, that can run scripts with the
unprivileged account "apache" but thats all,
nonetheless they got root access from that
unprivileged account.
Any ideas?, I don't know what to do. I've read that
the r0nin script opens a telnet session in port 1666,
but this cant be the problem, since this port is
blocked by the firewall and they would get an
unprivileged telnet access anyway, right?, I didn't
find any info about the other scrips, I still have
them there if you need any other info.
Thank you very much.



250MB gratis, Antivirus y Antispam 
Correo Yahoo!, el mejor correo web del mundo

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message