Well thank you very much for your help and this detailed e-mail, as I have time I will implement some of these things, for the moment my apache is behind my firewall and I'm still thinking if I want to reinstall my whole system which isn't very funny... One question, does this mean that apache is insecure in some way or that they've used a security hole in this version of apache or is something that couldn't be avoided with the light security settings of my system?, if this is about an exploit to apache I would like to help resolve this issue if I can, at least providing the programmers with the scripts they've used to hack my machine so they can investigate. El Mar 15 Mar 2005 12:01, Ivan Barrera A. escribió: > > Thank's for all the answers, if you know anything more > > about what could have been the attack I would like to > > hear about it. > > I'm almost sure as you said, it was a php-insecure page related xploit. > r0nin is a common script to use, and upload. (i fix lots of clients > computers with this). > Aa logs are gone, it is difficult to determine the exact way they hacked > into the machine, unless, you try to seach trough the disk (if the > didn't zero it out).- > Take a look at your sites. I've found that a common denominator for this > situation are : phpNuke (specially when using that eGallery crap), > phpBB, Cpanel default configuration, sites that upload files using > global vars (register_global = on), and so on.. > > Unfortunally, internet is plagued by those damn kiddiez, who dont do > anything useful. Just get into your box (using some pointer, or scripts > out there), and start placing some files, DoS to other networks, or just > installing lots of irc-bots. Some more advanced guys, replace system > files (which keeps changing other executables to keep the systems > vulnerable), sniff users/password of the machine/lan, sniff packets in > search of a credit card number, etc. > > Common places for installing "hack" utils : > > /var/tmp > /tmp > /dev/shm > /dev/" " (or more spaces...) > /dev/... (or more dots, or with spaces) > /dev/someunknowndir > /usr/share/locale (i've seen lots using sk under that path) > /" " (or more spaces) > > (in cpanel machines) > /usr/local/cpanel/proxy > /usr/local/cpanel/ (almost any of the dirs. under that ) > > (obviously, there a lot's more.. but almost every machine i fix, had > this directories compromised) > > Some simple stuff : > > link /var/tmp to /tmp > mount tmp as noexec, and some other restrictive permissions > mount /dev/shm as noexec > (this is to bug the kiddiez, they can use lots of other directories) > using selinux is kinda complex, but gives lots of other options. > > How to see if you are hacked : > > if in redhat fedora, the common package to get changes are psmisc procps > net-tools and util-linux > rpm -VVV all of those packages. > > (if you dont have ps,lsof, and netstat changed) > see the processes running (ps axuf) > see the ports open (netstat -ln) and process who opened them (netstat > -lntup) > run lsof. Look at any port/file suspicios. > > > There are lots more to do... > But if you can, better to reinstall from scratch. > > (it happened to me 2 days ago. i installed a new server with default > installation. went home, and it was hacked already. My fault for letting > ssh1 open, and a soft root password). > > > --- Dennis Speekenbrink > > > > <d.g.speekenbrink@xxxxxxxxxxxxxxx> wrote: > >>Hi, > >> > >>Please keep in mind that I'm not a security expert. > >> > >>Something about this says that they did not get root > >>access to the machine. > >>Are you absolutely sure that "root-only" files we're > >>changed? > >> > >>Reasons for my thinking are: > >>The rogue processes are running under the Apache > >>user (why not root?) > >>You can still log in. (usually root-exploits change > >>the root password > >>first thing, sadly speaking from my own experience) > >>The rogue processes are located in /tmp which is > >>world-writeable. > >>If access was gained through Apache, and it was > >>indeed running as an > >>un-priviledged user, then they would need a second > >>exploit to raise > >>their access level to root. By default a security > >>breach in apache > >>should only compromise anything that Apache can > >>touch. > >> > >>On the other hand: > >>If you're logged in and the 'who' command shows > >>absolutely nobody, then > >>it is obviously at fault. > >>If non-writeable files we're modified then an Apache > >>/ php exploit alone > >>couldn't have done it. > >>If system logs we're deleted that is almost > >>certainly an indicator of a > >>root-exploit. > >> > >>If you conclude that root-access was indeed gained, > >>then the machine > >>must be considered lost. > >>Do not try to repair it, as you can never be sure > >>you removed all traces > >>of the attacker. > >>If you assume that it was only a apache / php > >>exploit then repair is > >>possible but a reinstall might be safer. > >> > >>Good luck! > >> > >>Dennis > >> > >>p.s. if you have an off-site backup or remote > >>logging try comparing data > >>to see what has changed. > > > > --------------------------------------------------------------------- > > > >>The official User-To-User support forum of the > >>Apache HTTP Server Project. > >>See <URL:http://httpd.apache.org/userslist.html> for > >>more info. > >>To unsubscribe, e-mail: > >>users-unsubscribe@xxxxxxxxxxxxxxxx > >> " from the digest: > >>users-digest-unsubscribe@xxxxxxxxxxxxxxxx > >>For additional commands, e-mail: > >>users-help@xxxxxxxxxxxxxxxx > > > > ___________________________________________________________ > > 250MB gratis, Antivirus y Antispam > > Correo Yahoo!, el mejor correo web del mundo > > http://correo.yahoo.com.ar > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server > > Project. See <URL:http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|