httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Ray [Lists]" <li...@blazestudios.com>
Subject [users@httpd] I believe I've been compromised.
Date Wed, 06 Sep 2006 04:31:31 GMT
I'm running a SuSE 9.1 server with Apache 2.0.58 and as of last Thursday 
I'm seeing a ton of files created in spots they should be. All created 
by wwwrun (the webserver). I'm finding PHP scripts that are blatantly 
commented with hacker code, _vti_ directories in sites and this server 
doesn't have FP running on it. Cron jobs owned by wwwrun created and I 
can see my maching connected to a strange IP on port 22 which is telling 
me that my machine has opened a ssh connection with their server.

I'm seeing files that execute PHP Shell 1.7 which allows them to execute 
commands via a form.

Has anyone ever run into this kind of problem? I've never really been 
hacked like this before and I keep thinking I have it cleaned up but it 
doesn't appear that way. One script had this in it: Powered By 
#KARTUBEBEN CrEW @ DALnet

I know this maybe be a bit OT but any thoughts or suggestions would be 
greatly helpful and appreciated.

Thanks!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message