httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Barrera A." <Br...@Ivn.cl>
Subject Re: [users@httpd] I've been hacked, I need some help please...
Date Tue, 15 Mar 2005 13:49:11 GMT
> I have apache-2.0.52 and all my main pages were
> changed to a HTML message written in WORD!!! (that for
> sure says it was a script kiddie)
> I think they got root access since all my log
> directory is gone and they rewrote all index.* files
> from all my filesystem directories with their own
> message, I've found two process running under the user
> "apache", they are "r0nin" and "brk".

I see this all the time
You are right, you were hacked with an insecure php script. And probably 
with an insecure version of phpBB.

> The "who" command shows nothing, so it seems it was
> changed. I've found some info on "r0nin" exploit but
> nothing on "brk", both files are in /var/tmp. There
> are also other files in /var/tmp, they are "dc"
> (executable), b.tgz and edy.tgz.
> As I said before, my major concern is root access. I'm
> almost sure they got in with an insecure PHP script,
> but as I see it (I could be wrong), this shouldn't be
> a major problem, that can run scripts with the
> unprivileged account "apache" but thats all,
> nonetheless they got root access from that
> unprivileged account.

If you have and outdates/unpatched kernel, you can fire up some race 
conditions and get root easily with an unprivileged account.

> Any ideas?, I don't know what to do. I've read that
> the r0nin script opens a telnet session in port 1666,
> but this cant be the problem, since this port is
> blocked by the firewall and they would get an
> unprivileged telnet access anyway, right?, I didn't
> find any info about the other scrips, I still have
> them there if you need any other info.
> Thank you very much.

MMh...
Start with bloking incoming connections. Remove those scripts, point 
your temp dirs to one with noexec propierties (sometimes those damn 
kiddiez uses /dev/shm, so put it as noexec sometimes works), you will 
have to search all over your system for modified files (using 
redhat/fedora is simple, running rpm -VVV for each pkg).
The best, is to start with a clean system, running all the security you 
can. SELinux is good although kinda hard. mod_security, use chrooted 
environment, etc...





> 
> Francisco
> 
> 
> 	
> 
> 	
> 		
> ___________________________________________________________ 
> 250MB gratis, Antivirus y Antispam 
> Correo Yahoo!, el mejor correo web del mundo 
> http://correo.yahoo.com.ar
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message