httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James <ja...@nixsecurity.org>
Subject Re: [users@httpd] Signs of Apache Web Server been hacked
Date Mon, 11 Nov 2013 04:34:06 GMT
I'd start by running strace on the Apache PID that's running bash - strace -pPID, see man strace
for more information. You may have to install the package, if strace isn't currently installed.
This should give you an idea of what the process is doing, if anything.

You could also look for exec, system, etc functions in the php scripts by grep'ing for the
functions. Check the php manual for a full list functions.

Mauricio Tavares <raubvogel@gmail.com> wrote:
>On Sun, Nov 10, 2013 at 9:36 PM, Rizwan Raza <rizwan.raza@gmail.com>
>wrote:
>> There is a bunch of php scripts on the server. Not sure how to
>inspect and
>> find out the hijacked piece. I would appreciate any suggestion(s)
>>
>      You could start by seeing if any of the files have been changed
>recently (OS-specific; are you running Linux?) or something has been
>uploaded (if it is still there). Shell exploits would be in the later
>group. Can people update files to your server? I myself have written
>one of those, and it would tell me stuff like user I am running as,
>OS/apache/php version, kernel (if linux), and so on. And that was
>before I went about exploring.
>
>I think OWASP has some kind of test for weaknesses; at least they have
>docs on best practices.
>
>I would also think the apache log files would show something like a
>given ip sending commands out to the server (trying to find a
>weakness).
>
>Look on the bright side: at least apache is not being run as root.
>>
>> On Sun, Nov 10, 2013 at 6:55 PM, Nick Kew <nick@webthing.com> wrote:
>>>
>>>
>>> On 11 Nov 2013, at 00:15, Rizwan Raza wrote:
>>>
>>> > Notice the last two listings. What does that mean? Is my Apache
>instance
>>> > hacked?
>>>
>>> Maybe.
>>>
>>> The most likely origin of a shell from apache is from a script.
>>> That could be a vulnerable script that's got hijacked, or a script
>>> that intentionally runs a shell.  Processes hanging around
>>> could mean a script that didn't run&exit cleanly (and should
>>> be fixed).
>>>
>>> Take a long hard look at your scripts, and look for any clues
>>> in your error log.
>>>
>>> --
>>> Nick Kew
>>>
>---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Mime
View raw message