OS, Gentoo Linux, recently upgraded (some days ago) to the latest versions of what Gentoo developers consider stable. The PHP scripts running, various versions of phpBB, PHPmyadmin (secured), I think that there is a PHPnuke there too... I don't know the suspicios, but my brother instaled some days ago a modification of the popular blog software "world press", and he was with speed problems in that script, everithing in my sites worked fine. Now that I think of it, maybe thats the suspect number one. --- Paul <paul@xxxxxxxxxxxxxx> escribió: > I would be interested in what OS you were running > Apache on and what > PHP scripts you thought were suspect. > On Tuesday, March 15, 2005, at 09:22 AM, Francisco > Hidalgo Solá wrote: > > > Yes, I'm sure root only files were changed, as my > > complete log directory that is gone. > Unfortunatelly, > > or fortunatelly, this is my home machine hosting > some > > sites of friends, so I never worried that much for > > security, only the normal things. I wasn't doing > > remote logging either so I have no idea what > happened. > > I came to the same conclussion as you and other > > people, I must reinstall everything to be sure. > But > > this post is mainly an attempt to be able to > discover > > what happened and if this was a security hole in > this > > specific version of apache or any other thing. So > I > > know what to do on my new installation. > > I will start with Ivan Barrera's suggestions, > chrooted > > apache, mod_security maybe selinux, but this > bothers > > me so much, since this is only my home machine and > I > > don't want to spend that much time in it... > > The first thing is remote logging, since I use > > syslog-ng in all my machines this should be very > easy. > > Thank's for all the answers, if you know anything > more > > about what could have been the attack I would like > to > > hear about it. > > > > > > --- Dennis Speekenbrink > > <d.g.speekenbrink@xxxxxxxxxxxxxxx> wrote: > >> Hi, > >> > >> Please keep in mind that I'm not a security > expert. > >> > >> Something about this says that they did not get > root > >> access to the machine. > >> Are you absolutely sure that "root-only" files > we're > >> changed? > >> > >> Reasons for my thinking are: > >> The rogue processes are running under the Apache > >> user (why not root?) > >> You can still log in. (usually root-exploits > change > >> the root password > >> first thing, sadly speaking from my own > experience) > >> The rogue processes are located in /tmp which is > >> world-writeable. > >> If access was gained through Apache, and it was > >> indeed running as an > >> un-priviledged user, then they would need a > second > >> exploit to raise > >> their access level to root. By default a security > >> breach in apache > >> should only compromise anything that Apache can > >> touch. > >> > >> On the other hand: > >> If you're logged in and the 'who' command shows > >> absolutely nobody, then > >> it is obviously at fault. > >> If non-writeable files we're modified then an > Apache > >> / php exploit alone > >> couldn't have done it. > >> If system logs we're deleted that is almost > >> certainly an indicator of a > >> root-exploit. > >> > >> If you conclude that root-access was indeed > gained, > >> then the machine > >> must be considered lost. > >> Do not try to repair it, as you can never be sure > >> you removed all traces > >> of the attacker. > >> If you assume that it was only a apache / php > >> exploit then repair is > >> possible but a reinstall might be safer. > >> > >> Good luck! > >> > >> Dennis > >> > >> p.s. if you have an off-site backup or remote > >> logging try comparing data > >> to see what has changed. > >> > >> > >> > >> > >> > >> > > > --------------------------------------------------------------------- > >> The official User-To-User support forum of the > >> Apache HTTP Server Project. > >> See <URL:http://httpd.apache.org/userslist.html> > for > >> more info. > >> To unsubscribe, e-mail: > >> users-unsubscribe@xxxxxxxxxxxxxxxx > >> " from the digest: > >> users-digest-unsubscribe@xxxxxxxxxxxxxxxx > >> For additional commands, e-mail: > >> users-help@xxxxxxxxxxxxxxxx > >> > >> > > > > > > > > > > > > > > > ___________________________________________________________ > > 250MB gratis, Antivirus y Antispam > > Correo Yahoo!, el mejor correo web del mundo > > http://correo.yahoo.com.ar > > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the > Apache HTTP Server > > Project. > > See <URL:http://httpd.apache.org/userslist.html> > for more info. > > To unsubscribe, e-mail: > users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: > users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: > users-help@xxxxxxxxxxxxxxxx > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the > Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for > more info. > To unsubscribe, e-mail: > users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: > users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: > users-help@xxxxxxxxxxxxxxxx > > __________________________________________________ Correo Yahoo! Espacio para todos tus mensajes, antivirus y antispam ¡gratis! ¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx