httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Station51 Donations" <donati...@station51.net>
Subject RE: [users@httpd] Machine compromised via apache 2.0.54... I think.
Date Tue, 27 Sep 2005 16:01:06 GMT
Hello,

We discovered this problem on our own server quite some time ago. It was
linked to a problem with the forum software, phpBB. If you or anyone on the
server (customers etc) are running it, they should be advised to upgrade to
the latest versions. This also goes for any *Nuke software such as postnuke
and other content management systems. Their spaghetti coded and often have a
lot of security problems. Our servers are now forbidding clients to install
any nuke CMSes as well as install phpBB because we feel its simply not worth
the risk of our entire customer base. 

Someone here probably has more technical documentation about the specific
phpBB/webalizer bug I'm referring to. 

Thanks,
Bill


-----Original Message-----
From: System Administrator [mailto:hackersreallysuck@gmail.com] 
Sent: Tuesday, September 27, 2005 10:47 AM
To: users@httpd.apache.org
Subject: [users@httpd] Machine compromised via apache 2.0.54... I think.

Because of many recent attacks on my machines in the last few months,
I built a new machine using a processor with a No-Execute bit.  I put
all my sites on there with Apache 2.0.54 and patched everything to
date.  I only allow port 80, 443, ftp and ssh to reach the machine. 
There is only one user on the machine, me.  The FTP authentication is
handled by an NcFTPd internal database.  The other day, my machine was
flooding the network and nothing worked.  I checked top and there was
a perl script called leet.pl running.  I did a find and there were
several perl scripts owned by user apache in my /tmp.  They all seemed
to be connect-back scripts.

I'm no expert on security, but it seems odd to me that a remote user
could use apache to write to my /tmp directory and then execute the
script.  Any idea how this happened?  How do I prevent it in the
future?  How do I sterilize my machine?

Thanks for the help.

Farmer J

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message