httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francisco Hidalgo Solá <fhidalgos...@yahoo.com.ar>
Subject Re: [users@httpd] I've been hacked, I need some help please...
Date Tue, 15 Mar 2005 15:01:14 GMT
OS, Gentoo Linux, recently upgraded (some days ago) to
the latest versions of what Gentoo developers consider
stable. The PHP scripts running, various versions of
phpBB, PHPmyadmin (secured), I think that there is a
PHPnuke there too...
I don't know the suspicios, but my brother instaled
some days ago a modification of the popular blog
software "world press", and he was with speed problems
in that script, everithing in my sites worked fine.
Now that I think of it, maybe thats the suspect number
one.


 --- Paul <paul@gubavision.com> escribió: 
> I would be interested in what OS you were running
> Apache on and what 
> PHP scripts you thought were suspect.
> On Tuesday, March 15, 2005, at 09:22  AM, Francisco
> Hidalgo Solá wrote:
> 
> > Yes, I'm sure root only files were changed, as my
> > complete log directory that is gone.
> Unfortunatelly,
> > or fortunatelly, this is my home machine hosting
> some
> > sites of friends, so I never worried that much for
> > security, only the normal things. I wasn't doing
> > remote logging either so I have no idea what
> happened.
> > I came to the same conclussion as you and other
> > people, I must reinstall everything to be sure.
> But
> > this post is mainly an attempt to be able to
> discover
> > what happened and if this was a security hole in
> this
> > specific version of apache or any other thing. So
> I
> > know what to do on my new installation.
> > I will start with Ivan Barrera's suggestions,
> chrooted
> > apache, mod_security maybe selinux, but this
> bothers
> > me so much, since this is only my home machine and
> I
> > don't want to spend that much time in it...
> > The first thing is remote logging, since I use
> > syslog-ng in all my machines this should be very
> easy.
> > Thank's for all the answers, if you know anything
> more
> > about what could have been the attack I would like
> to
> > hear about it.
> >
> >
> > --- Dennis Speekenbrink
> > <d.g.speekenbrink@silverstreak.nl> wrote:
> >> Hi,
> >>
> >> Please keep in mind that I'm not a security
> expert.
> >>
> >> Something about this says that they did not get
> root
> >> access to the machine.
> >> Are you absolutely sure that "root-only" files
> we're
> >> changed?
> >>
> >> Reasons for my thinking are:
> >> The rogue processes are running under the Apache
> >> user (why not root?)
> >> You can still log in. (usually root-exploits
> change
> >> the root password
> >> first thing, sadly speaking from my own
> experience)
> >> The rogue processes are located in /tmp which is
> >> world-writeable.
> >> If access was gained through Apache, and it was
> >> indeed running as an
> >> un-priviledged user, then they would need a
> second
> >> exploit to raise
> >> their access level to root. By default a security
> >> breach in apache
> >> should only compromise anything that Apache can
> >> touch.
> >>
> >> On the other hand:
> >> If you're logged in and the 'who' command shows
> >> absolutely nobody, then
> >> it is obviously at fault.
> >> If non-writeable files we're modified then an
> Apache
> >> / php exploit alone
> >> couldn't have done it.
> >> If system logs we're deleted that is almost
> >> certainly an indicator of a
> >> root-exploit.
> >>
> >> If you conclude that root-access was indeed
> gained,
> >> then the machine
> >> must be considered lost.
> >> Do not try to repair it, as you can never be sure
> >> you removed all traces
> >> of the attacker.
> >> If you assume that it was only a apache / php
> >> exploit then repair is
> >> possible but a reinstall might be safer.
> >>
> >> Good luck!
> >>
> >> Dennis
> >>
> >> p.s. if you have an off-site backup or remote
> >> logging try comparing data
> >> to see what has changed.
> >>
> >>
> >>
> >>
> >>
> >>
> >
>
---------------------------------------------------------------------
> >> The official User-To-User support forum of the
> >> Apache HTTP Server Project.
> >> See <URL:http://httpd.apache.org/userslist.html>
> for
> >> more info.
> >> To unsubscribe, e-mail:
> >> users-unsubscribe@httpd.apache.org
> >>    "   from the digest:
> >> users-digest-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail:
> >> users-help@httpd.apache.org
> >>
> >>
> >
> >
> > 	
> >
> > 	
> > 		
> >
>
___________________________________________________________
> > 250MB gratis, Antivirus y Antispam
> > Correo Yahoo!, el mejor correo web del mundo
> > http://correo.yahoo.com.ar
> >
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the
> Apache HTTP Server 
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for more info.
> > To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
> >    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail:
> users-help@httpd.apache.org
> >
> 
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 
>  

__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis! 
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message