httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John <isofr...@cc.uoi.gr>
Subject Re[2]: [users@httpd] I've been hacked, I need some help please...
Date Mon, 21 Mar 2005 20:31:50 GMT

From: dan <info@hostinthebox.net>
To: users@httpd.apache.org
Date: Monday, March 21, 2005, 10:30:38 PM
Subject: [users@httpd] I've been hacked, I need some help please...



  Monday, March 21, 2005, 10:30:38 PM, you wrote:

  > John wrote:
>> From: cron@odi.com.br <cron@odi.com.br>
>> To: <users@httpd.apache.org>
>> Date: Monday, March 21, 2005, 9:45:51 PM
>> Subject: [users@httpd] I've been hacked, I need some help please...
>> 
>> 
>> 
>>   Monday, March 21, 2005, 9:45:51 PM, you wrote:
>> 
>>   > I got the same problem one month ago, I was running awstas(log statistics),
>> 
>>>anyway, they got access to /tmp wrote some files and execute the telnet
>>>program at first I thought well this cant be firewall blocks everything
>>>except port 80,  I found the code for the exploit and bad news, the exploit
>>>connect to a remote machine and give a telnet shell on the remote machine
>>>after that I'm blocking outgoing port too. To bad for me and my laziness.
>>>Those stupid thing make me work 28 hs non stop.
>> 
>> 
>> 
>> 
>>>Also found allot of backdoors i don't know if  was working at all but
>>>running in ports already in use like port 80 and 21 and lots of modified
>>>files like ps, who, ftpwho and some freaking ftp server (gssftp) witch with
>>>some very weird install instruction gave root access to remote users. At
>>>this point i was sure it was a script-kidie  but found evidence of more than
>>>one attackers.
>> 
>> 
>> 
>> 
>>>My point is i could NEVER fell save just fixing things. So reinstalled.
>> 
>> 
>> 
>> 
>>>Angelo
>> 
>> 
>>>----- Original Message ----- 
>>>From: "Ivan Barrera A." <Bruce@Ivn.cl>
>>>To: <users@httpd.apache.org>
>>>Sent: Wednesday, March 16, 2005 9:51 AM
>>>Subject: Re: [users@httpd] I've been hacked, I need some help please...
>> 
>> 
>> 
>> So you think that was an awstats exploit that let the intruder to
>> install the telnet program?
>> 
>> Which awstats version you were using?
>> 
>> Thanks in advance
>> 
>> John
>> 

> This is a known exploit that affects awstats-6.2.  It can be fixed by
> either setting AllowToUpdateStatsFromBrowser = 0, or to upgrade to 6.3.

> I guess a lot of people have been hit hard by this.  THat's too bad,
> because awstats was, and maybe still is, a very useful tool.  It's a
> shame to think of how other people see it now.

> Thanks
> -dant


> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


I haven;t fixed that error in my awstats 6.2 but i used the .htaccess
to restrict other users from viewing it.
Is this a good sulution or i must upgrade that script ?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message