httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Goryunov <oleg.goryu...@gmail.com>
Subject Re: [users@httpd] Someone hacked my apache2 server
Date Sun, 04 Apr 2010 08:42:58 GMT
Morgan
I did not have Tripwire installed. Will do that :) The problem is that I
can't find the files that were modified. As I indicated in the initial
email, the hackers page  started to show up at some point, then STOPPED,
then, in 20 minutes started again, nd then stopped again. After that I shut
down apache. So, I am even clueless where to search for the logs.

The only thing that is relevant to the attach is this:

mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:17 -0500] "GET
//phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-"
"Mozilla/4.0 (compatible; MSIE 6.
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:18 -0500] "GET
//pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Wind
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:19 -0500] "GET
//admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Wi
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:20 -0500] "GET
//dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-"
"Mozilla/4.0 (compatible; MSIE 6.0;
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:20 -0500] "GET
//mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Wi
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:21 -0500] "GET
//php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-"
"Mozilla/4.0 (compatible; MSIE
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:22 -0500] "GET
//myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-"
"Mozilla/4.0 (compatible; MSIE 6.0;
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:22 -0500] "GET
//PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-"
"Mozilla/4.0 (compatible; MSIE 6.
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:23 -0500] "GET
//phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-"
"Mozilla/4.0 (compatible; MSIE 6.
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:24 -0500] "GET
//p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Wi

So, I suspect that the vulnerablity might have been in the phpmyadmin. Could
it be there? Or is the chaler was trying to find the most common ways to get
in?

Oleg.

On Sun, Apr 4, 2010 at 3:28 AM, Morgan Gangwere <0.fractalus@gmail.com>wrote:

> On 4/3/2010 4:24 PM, Oleg Goryunov wrote:
>
>>
>> THe problem is that I do not see any files changed on the server (and
>> thus cannot check the owner of them). Where should I look for the
>> possible evidence of someone else being there?
>>
>
> Do you have Tripwire installed?
> If so, just look at its logs :)
>
> Otherwise, I'd look carefully at the dates that things were modified. you
> *do* have backups, right?
>
> --
> Morgan Gangwere
>
> >> Why?
> > Because it breaks the logical flow of conversation, plus makes messages
> unreadable.
> >>> Top-Posting is evil.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message