httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Goryunov <oleg.goryu...@gmail.com>
Subject Re: [users@httpd] Someone hacked my apache2 server
Date Sun, 04 Apr 2010 09:41:29 GMT
A good explanation I received from a datacenter where I have the server:

"we classify this sort of issue as "Stealing the gateway". basically
what someone does is they send out false arp packets(flooding the entire
network segment) causing all servers and switching to think their server is
the
gateway instead of our router. they can then insert their own frame inside
of
all web traffic. this sort of issue is usually resolved within a few minutes
when we terminate the server. most likely this is what happened and explains
why the issue started and then suddenly went away without any evidence on
your
server of being hacked."
Unfortunately, they said they did not have a database of registered events
of this kind. :(
Oleg.

On Sun, Apr 4, 2010 at 12:48 PM, Oleg Goryunov <oleg.goryunov@gmail.com>wrote:

> Lester,
> Yes, I assume it might be a third party problem, not my server problem, but
> I need to be sure.
> If it was not my local DNS hack, since at least two people from different
> networks, from different cities (me and another person) observed the same
> behavior. Another point is that the hacked page showed up irrespective of
> the site name (I have three sites running on a dedicated server in US colo)
> on all the sites that are on that server.
> Could they have rerouted traffic somewhere closer to the datacenter? I
> doubt...
> Now, the site looks OK. But I think it can happen again.
> Oleg.
>
>
>
> On Sun, Apr 4, 2010 at 10:20 AM, Lester Caine <lester@lsces.co.uk> wrote:
>
>> Oleg Goryunov wrote:
>>
>>>
>>> Any help is appreciated.
>>>
>>
>> Oleg - Does YOUR copy of the index page look OK reading it as a file?
>> What no one has mentioned is that DNC servers have been hacked and could
>> be doing the re-routing. It may not be YOUR site which is compromised.
>>
>> I can view my own sites 'locally' without going through the internet, any
>> chance you can check via that route?
>>
>> If the site itself looks OK, then check the config files for apache are
>> still actually looking at that site, but I suspect that because you say it
>> is intermittent it may well be outside you control. We have had a number of
>> sites giving us a 'problem', but when accessed with the IP address of the
>> machine direct then they are actually fine!
>>
>> --
>> Lester Caine - G8HFL
>> -----------------------------
>> Contact - http://lsces.co.uk/wiki/?page=contact
>> L.S.Caine Electronic Services - http://lsces.co.uk
>> EnquirySolve - http://enquirysolve.com/
>> Model Engineers Digital Workshop - http://medw.co.uk//
>> Firebird - http://www.firebirdsql.org/index.php
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

Mime
View raw message