I have apache-2.0.52 and all my main pages were changed to a HTML message written in WORD!!! (that for sure says it was a script kiddie) I think they got root access since all my log directory is gone and they rewrote all index.* files from all my filesystem directories with their own message, I've found two process running under the user "apache", they are "r0nin" and "brk".
I see this all the timeYou are right, you were hacked with an insecure php script. And probably with an insecure version of phpBB.
The "who" command shows nothing, so it seems it was changed. I've found some info on "r0nin" exploit but nothing on "brk", both files are in /var/tmp. There are also other files in /var/tmp, they are "dc" (executable), b.tgz and edy.tgz. As I said before, my major concern is root access. I'm almost sure they got in with an insecure PHP script, but as I see it (I could be wrong), this shouldn't be a major problem, that can run scripts with the unprivileged account "apache" but thats all, nonetheless they got root access from that unprivileged account.
If you have and outdates/unpatched kernel, you can fire up some race conditions and get root easily with an unprivileged account.
Any ideas?, I don't know what to do. I've read that the r0nin script opens a telnet session in port 1666, but this cant be the problem, since this port is blocked by the firewall and they would get an unprivileged telnet access anyway, right?, I didn't find any info about the other scrips, I still have them there if you need any other info. Thank you very much.
MMh...Start with bloking incoming connections. Remove those scripts, point your temp dirs to one with noexec propierties (sometimes those damn kiddiez uses /dev/shm, so put it as noexec sometimes works), you will have to search all over your system for modified files (using redhat/fedora is simple, running rpm -VVV for each pkg). The best, is to start with a clean system, running all the security you can. SELinux is good although kinda hard. mod_security, use chrooted environment, etc...
Francisco___________________________________________________________ 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|