httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Burden" <...@burden.ca>
Subject Re: [users@httpd] Hacked the website replace the index.hm page
Date Mon, 09 May 2005 00:32:51 GMT
No, I can't. I'm not a security expert. Hopefully someone else can help you
more.

Sure looks to me like a phpBB hack though.

----- Original Message ----- 
From: "Mathew Thomas" <mathew.thomas@rmit.edu.au>
To: <users@httpd.apache.org>
Sent: Sunday, May 08, 2005 8:23 PM
Subject: Re: [users@httpd] Hacked the website replace the index.hm page


Hi Tim,

Could you please explain it bit more. There is no connection between the
hacked website and phpBB website.( both are different virtual host). We are
using php version 4.3.9. Do you mean upgrade php?

Thanks
Mathew


>>> tim@burden.ca 9/05/05 10:13:21 >>>
If you google admin_styles.php you'll find it's a known phpBB hack.

Update, replace, or disable the phpBB boards and change all passwords.

----- Original Message ----- 
From: "Mathew Thomas" <mathew.thomas@rmit.edu.au>
To: <users@httpd.apache.org>
Sent: Sunday, May 08, 2005 8:00 PM
Subject: Re: [users@httpd] Hacked the website replace the index.hm page


Hi Tim,

The intruder replaced only two index.htm files. There is no evidence that
the server has been hacked other than two index.htm file has been replaced.

The phpBB websete is owned by different user and group than the site which
has been hacked.

The following is from the access.log. ( The hacked replaced the index.htm
with one line of text.

201.128.21.202 - - [08/May/2005:08:05:43 +1000] "GET
/virtualforum//admin/admin_styles.php?mode=addnew&in
stall_to=../../../../../../../../../../../../../../../../../../../tmp&nigga=
system(\"cd%20/web/departments/student;echo%20XTech%20Inc%20ownz%20-%20stude
nts%20-%20y0u%20suck%20>index.shtml\");&sid=655f5166e6110dc5959fe46a96192331
HTTP/1.1" 200 7976


Thanks
Mathew


>>> tim@burden.ca 9/05/05 9:24:23 >>>
Ok. What evidence do you have that it was a hack? (as opposed to, say, FTP
passwords getting out somehow).

And, by any chance, do the sites that were hacked share any passwords with
accounts on any of the phpBB installations? And, with what were the index
files replaced?

----- Original Message ----- 
From: "Mathew Thomas" <mathew.thomas@rmit.edu.au>
To: <users@httpd.apache.org>
Sent: Sunday, May 08, 2005 7:15 PM
Subject: Re: [users@httpd] Hacked the website replace the index.hm page


Hi Tim,

Thanks for the reply. Yes, couple of virtual hosts are running phpPBB. The
website which have been hacked are not using PHP,mysql or ssl.

Thanks
Mathew


>>> tim@burden.ca 9/05/05 8:56:04 >>>
We'll probably need more details. You running phpBB anywhere?

----- Original Message ----- 
From: "Mathew Thomas" <mathew.thomas@rmit.edu.au>
To: <users@httpd.apache.org>
Sent: Sunday, May 08, 2005 6:49 PM
Subject: [users@httpd] Hacked the website replace the index.hm page


Hi All,

We are running apache_1.3.32 with mod_ssl, mySQL and PHP. OS is Solaris 9.
Apache is running with

User httpd
Group http

Most of the Documentroot is owned by httpd.( There are several virtualhost
running on this server)

its-wu-web:departments#  ps -ef | grep http
   httpd 18168 24970  0 00:00:02 ?        0:04
/usr/local/apache/bin/httpd -DSSL
   httpd 16498 24970  0 08:39:24 ?        0:00
/usr/local/apache/bin/httpd -DSSL
   httpd 16492 24970  0 08:39:24 ?        0:00
/usr/local/apache/bin/httpd -DSSL
   httpd 15664 24970  0 08:28:56 ?        0:00
/usr/local/apache/bin/httpd -DSSL
   httpd 16488 24970  0 08:39:23 ?        0:00
/usr/local/apache/bin/httpd -DSSL
   httpd 18182 24970  0 00:00:07 ?        0:04
/usr/local/apache/bin/httpd -DSSL

Some how couple of the website was hacked and replaced the index.htm pages.
How can I prevent it happen again?

Thanks
Mathew




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message