Yes, I'm sure root only files were changed, as my complete log directory that is gone. Unfortunatelly, or fortunatelly, this is my home machine hosting some sites of friends, so I never worried that much for security, only the normal things. I wasn't doing remote logging either so I have no idea what happened. I came to the same conclussion as you and other people, I must reinstall everything to be sure. But this post is mainly an attempt to be able to discover what happened and if this was a security hole in this specific version of apache or any other thing. So I know what to do on my new installation. I will start with Ivan Barrera's suggestions, chrooted apache, mod_security maybe selinux, but this bothers me so much, since this is only my home machine and I don't want to spend that much time in it... The first thing is remote logging, since I use syslog-ng in all my machines this should be very easy. Thank's for all the answers, if you know anything more about what could have been the attack I would like to hear about it. --- Dennis Speekenbrink <d.g.speekenbrink@xxxxxxxxxxxxxxx> wrote: > Hi, > > Please keep in mind that I'm not a security expert. > > Something about this says that they did not get root > access to the machine. > Are you absolutely sure that "root-only" files we're > changed? > > Reasons for my thinking are: > The rogue processes are running under the Apache > user (why not root?) > You can still log in. (usually root-exploits change > the root password > first thing, sadly speaking from my own experience) > The rogue processes are located in /tmp which is > world-writeable. > If access was gained through Apache, and it was > indeed running as an > un-priviledged user, then they would need a second > exploit to raise > their access level to root. By default a security > breach in apache > should only compromise anything that Apache can > touch. > > On the other hand: > If you're logged in and the 'who' command shows > absolutely nobody, then > it is obviously at fault. > If non-writeable files we're modified then an Apache > / php exploit alone > couldn't have done it. > If system logs we're deleted that is almost > certainly an indicator of a > root-exploit. > > If you conclude that root-access was indeed gained, > then the machine > must be considered lost. > Do not try to repair it, as you can never be sure > you removed all traces > of the attacker. > If you assume that it was only a apache / php > exploit then repair is > possible but a reinstall might be safer. > > Good luck! > > Dennis > > p.s. if you have an off-site backup or remote > logging try comparing data > to see what has changed. > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the > Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for > more info. > To unsubscribe, e-mail: > users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: > users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: > users-help@xxxxxxxxxxxxxxxx > > ___________________________________________________________ 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|