Hi Francisco, I use for quite a while the rootkit hunter. GPL from http://www.rootkit.nl/ A great program - it checks for rootkits, backdoors and other traces what a hacker leaves on your server if he intends to come back.. Cheers herbs () ASCII Ribbon Campaign - against html/rtf/vCard in mail /\ - against M$ attachments On Tue, 15 Mar 2005 10:41:57 -0300 (ART) Francisco Hidalgo Solá <fhidalgosola@xxxxxxxxxxxx> wrote: > Hi, my apache web server has been hacked and they got > root access, this is my major concern. > > I have apache-2.0.52 and all my main pages were > changed to a HTML message written in WORD!!! (that for > sure says it was a script kiddie) > I think they got root access since all my log > directory is gone and they rewrote all index.* files > from all my filesystem directories with their own > message, I've found two process running under the user > "apache", they are "r0nin" and "brk". > The "who" command shows nothing, so it seems it was > changed. I've found some info on "r0nin" exploit but > nothing on "brk", both files are in /var/tmp. There > are also other files in /var/tmp, they are "dc" > (executable), b.tgz and edy.tgz. > As I said before, my major concern is root access. I'm > almost sure they got in with an insecure PHP script, > but as I see it (I could be wrong), this shouldn't be > a major problem, that can run scripts with the > unprivileged account "apache" but thats all, > nonetheless they got root access from that > unprivileged account. > Any ideas?, I don't know what to do. I've read that > the r0nin script opens a telnet session in port 1666, > but this cant be the problem, since this port is > blocked by the firewall and they would get an > unprivileged telnet access anyway, right?, I didn't > find any info about the other scrips, I still have > them there if you need any other info. > Thank you very much. > > Francisco > > > > > > > ___________________________________________________________ > 250MB gratis, Antivirus y Antispam > Correo Yahoo!, el mejor correo web del mundo > http://correo.yahoo.com.ar > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|