httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Barrera A." <Br...@Ivn.cl>
Subject Re: [users@httpd] I've been hacked, I need some help please...
Date Wed, 16 Mar 2005 12:51:08 GMT
> One question, does this mean that apache is insecure in some way or that 
> they've used a security hole in this version of apache or is something that 
> couldn't be avoided with the light security settings of my system?, if this 

I dont think so.
If you were using latest versions, it's difficult to be an apache 
exploit (but not impossible).
Most of the times, this security flaws, respond to careless programming, 
and too relaxes directives (both in apache and php)

> is about an exploit to apache I would like to help resolve this issue if I 
> can, at least providing the programmers with the scripts they've used to hack 
> my machine so they can investigate.

You dont need to reinstall. It is higly recommended though.
If you have the time, you'll have to search all over your system. I'm 
not sure what packaging system does gentoo uses, but im sure it can 
check the integrity of the files (md5sum,etc). It's not impossible to 
fix a "hacked" machine.. but it is long and tedious.
  As you didnt find the logs, it is difficult to really know if you were 
hacked via php insecure programming (i insist.. most probably) or some 
other sort of hack (if you say 80 is the only internet-wide open port.. 
the other chance is an apache/php/cgi exploit). I'm kinda confident it's 
not apaches fault, as i'm running both latest release (2.x and 1.x) in 
one of the most large isp's on my country. And most of the time someone 
gets "hacked", is the security issue i said before.
  You should try to recover part of the logs files from the hard disk, 
if you want to see exactly what happened.



> 
> 
> El Mar 15 Mar 2005 12:01, Ivan Barrera A. escribió:
> 
>>>Thank's for all the answers, if you know anything more
>>>about what could have been the attack I would like to
>>>hear about it.
>>
>>I'm almost sure as you said, it was a php-insecure page related xploit.
>>r0nin is a common script to use, and upload. (i fix lots of clients
>>computers with this).
>>Aa logs are gone, it is difficult to determine the exact way they hacked
>>into the machine, unless, you try to seach trough the disk (if the
>>didn't zero it out).-
>>Take a look at your sites. I've found that a common denominator for this
>>situation are : phpNuke (specially when using that eGallery crap),
>>phpBB, Cpanel default configuration, sites that upload files using
>>global vars (register_global = on), and so on..
>>
>>Unfortunally, internet is plagued by those damn kiddiez, who dont do
>>anything useful. Just get into your box (using some pointer, or scripts
>>out there), and start placing some files, DoS to other networks, or just
>>installing lots of irc-bots. Some more advanced guys, replace system
>>files (which keeps changing other executables to keep the systems
>>vulnerable), sniff users/password of the machine/lan, sniff packets in
>>search of a credit card number, etc.
>>
>>Common places for installing "hack" utils :
>>
>>/var/tmp
>>/tmp
>>/dev/shm
>>/dev/" " (or more spaces...)
>>/dev/... (or more dots, or with spaces)
>>/dev/someunknowndir
>>/usr/share/locale (i've seen lots using sk under that path)
>>/" " (or more spaces)
>>
>>(in cpanel machines)
>>/usr/local/cpanel/proxy
>>/usr/local/cpanel/ (almost any of the dirs. under that )
>>
>>(obviously, there a lot's more.. but almost every machine i fix, had
>>this directories compromised)
>>
>>Some simple stuff :
>>
>>link /var/tmp to /tmp
>>mount tmp as noexec, and some other restrictive permissions
>>mount /dev/shm as noexec
>>(this is to bug the kiddiez, they can use lots of other directories)
>>using selinux is kinda complex, but gives lots of other options.
>>
>>How to see if you are hacked :
>>
>>if in redhat fedora, the common package to get changes are psmisc procps
>>net-tools and util-linux
>>rpm -VVV all of those packages.
>>
>>(if you dont have ps,lsof, and netstat changed)
>>see the processes running (ps axuf)
>>see the ports open (netstat -ln) and process who opened them (netstat
>>-lntup)
>>run lsof. Look at any port/file suspicios.
>>
>>
>>There are lots more to do...
>>But if you can, better to reinstall from scratch.
>>
>>(it happened to me 2 days ago. i installed a new server with default
>>installation. went home, and it was hacked already. My fault for letting
>>ssh1 open, and a soft root password).
>>
>>
>>>--- Dennis Speekenbrink
>>>
>>><d.g.speekenbrink@silverstreak.nl> wrote:
>>>
>>>>Hi,
>>>>
>>>>Please keep in mind that I'm not a security expert.
>>>>
>>>>Something about this says that they did not get root
>>>>access to the machine.
>>>>Are you absolutely sure that "root-only" files we're
>>>>changed?
>>>>
>>>>Reasons for my thinking are:
>>>>The rogue processes are running under the Apache
>>>>user (why not root?)
>>>>You can still log in. (usually root-exploits change
>>>>the root password
>>>>first thing, sadly speaking from my own experience)
>>>>The rogue processes are located in /tmp which is
>>>>world-writeable.
>>>>If access was gained through Apache, and it was
>>>>indeed running as an
>>>>un-priviledged user, then they would need a second
>>>>exploit to raise
>>>>their access level to root. By default a security
>>>>breach in apache
>>>>should only compromise anything that Apache can
>>>>touch.
>>>>
>>>>On the other hand:
>>>>If you're logged in and the 'who' command shows
>>>>absolutely nobody, then
>>>>it is obviously at fault.
>>>>If non-writeable files we're modified then an Apache
>>>>/ php exploit alone
>>>>couldn't have done it.
>>>>If system logs we're deleted that is almost
>>>>certainly an indicator of a
>>>>root-exploit.
>>>>
>>>>If you conclude that root-access was indeed gained,
>>>>then the machine
>>>>must be considered lost.
>>>>Do not try to repair it, as you can never be sure
>>>>you removed all traces
>>>>of the attacker.
>>>>If you assume that it was only a apache / php
>>>>exploit then repair is
>>>>possible but a reinstall might be safer.
>>>>
>>>>Good luck!
>>>>
>>>>Dennis
>>>>
>>>>p.s. if you have an off-site backup or remote
>>>>logging try comparing data
>>>>to see what has changed.
>>>
>>>---------------------------------------------------------------------
>>>
>>>
>>>>The official User-To-User support forum of the
>>>>Apache HTTP Server Project.
>>>>See <URL:http://httpd.apache.org/userslist.html> for
>>>>more info.
>>>>To unsubscribe, e-mail:
>>>>users-unsubscribe@httpd.apache.org
>>>>  "   from the digest:
>>>>users-digest-unsubscribe@httpd.apache.org
>>>>For additional commands, e-mail:
>>>>users-help@httpd.apache.org
>>>
>>>___________________________________________________________
>>>250MB gratis, Antivirus y Antispam
>>>Correo Yahoo!, el mejor correo web del mundo
>>>http://correo.yahoo.com.ar
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server
>>>Project. See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message