httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francisco Hidalgo Solá <fhidalgos...@yahoo.com.ar>
Subject Re: [users@httpd] I've been hacked, I need some help please...
Date Tue, 15 Mar 2005 14:10:29 GMT
No, I don't...

--- Muhammad Rizwan <rizwan@nixpanel.com> wrote:
> 
> Are you using any hosting control panel?
> 
> 
> 
> On Tue, 2005-03-15 at 18:41, Francisco Hidalgo Solá
> wrote:
> > Hi, my apache web server has been hacked and they
> got
> > root access, this is my major concern.
> > 
> > I have apache-2.0.52 and all my main pages were
> > changed to a HTML message written in WORD!!! (that
> for
> > sure says it was a script kiddie)
> > I think they got root access since all my log
> > directory is gone and they rewrote all index.*
> files
> > from all my filesystem directories with their own
> > message, I've found two process running under the
> user
> > "apache", they are "r0nin" and "brk".
> > The "who" command shows nothing, so it seems it
> was
> > changed. I've found some info on "r0nin" exploit
> but
> > nothing on "brk", both files are in /var/tmp.
> There
> > are also other files in /var/tmp, they are "dc"
> > (executable), b.tgz and edy.tgz.
> > As I said before, my major concern is root access.
> I'm
> > almost sure they got in with an insecure PHP
> script,
> > but as I see it (I could be wrong), this shouldn't
> be
> > a major problem, that can run scripts with the
> > unprivileged account "apache" but thats all,
> > nonetheless they got root access from that
> > unprivileged account.
> > Any ideas?, I don't know what to do. I've read
> that
> > the r0nin script opens a telnet session in port
> 1666,
> > but this cant be the problem, since this port is
> > blocked by the firewall and they would get an
> > unprivileged telnet access anyway, right?, I
> didn't
> > find any info about the other scrips, I still have
> > them there if you need any other info.
> > Thank you very much.
> > 
> > Francisco
> > 
> > 
> > 	
> > 
> > 	
> > 		
> >
>
___________________________________________________________
> 
> > 250MB gratis, Antivirus y Antispam 
> > Correo Yahoo!, el mejor correo web del mundo 
> > http://correo.yahoo.com.ar
> > 
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the
> Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for more info.
> > To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> >    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail:
> users-help@httpd.apache.org
> > 
> 
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 
> 


	

	
		
___________________________________________________________ 
250MB gratis, Antivirus y Antispam 
Correo Yahoo!, el mejor correo web del mundo 
http://correo.yahoo.com.ar

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message