Hi, my apache web server has been hacked and they got root access, this is my major concern. I have apache-2.0.52 and all my main pages were changed to a HTML message written in WORD!!! (that for sure says it was a script kiddie) I think they got root access since all my log directory is gone and they rewrote all index.* files from all my filesystem directories with their own message, I've found two process running under the user "apache", they are "r0nin" and "brk". The "who" command shows nothing, so it seems it was changed. I've found some info on "r0nin" exploit but nothing on "brk", both files are in /var/tmp. There are also other files in /var/tmp, they are "dc" (executable), b.tgz and edy.tgz. As I said before, my major concern is root access. I'm almost sure they got in with an insecure PHP script, but as I see it (I could be wrong), this shouldn't be a major problem, that can run scripts with the unprivileged account "apache" but thats all, nonetheless they got root access from that unprivileged account. Any ideas?, I don't know what to do. I've read that the r0nin script opens a telnet session in port 1666, but this cant be the problem, since this port is blocked by the firewall and they would get an unprivileged telnet access anyway, right?, I didn't find any info about the other scrips, I still have them there if you need any other info. Thank you very much. Francisco ___________________________________________________________ 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|