One question, does this mean that apache is insecure in some way or that they've used a security hole in this version of apache or is something that couldn't be avoided with the light security settings of my system?, if this
I dont think so.If you were using latest versions, it's difficult to be an apache exploit (but not impossible). Most of the times, this security flaws, respond to careless programming, and too relaxes directives (both in apache and php)
is about an exploit to apache I would like to help resolve this issue if I can, at least providing the programmers with the scripts they've used to hack my machine so they can investigate.
You dont need to reinstall. It is higly recommended though.If you have the time, you'll have to search all over your system. I'm not sure what packaging system does gentoo uses, but im sure it can check the integrity of the files (md5sum,etc). It's not impossible to fix a "hacked" machine.. but it is long and tedious. As you didnt find the logs, it is difficult to really know if you were hacked via php insecure programming (i insist.. most probably) or some other sort of hack (if you say 80 is the only internet-wide open port.. the other chance is an apache/php/cgi exploit). I'm kinda confident it's not apaches fault, as i'm running both latest release (2.x and 1.x) in one of the most large isp's on my country. And most of the time someone gets "hacked", is the security issue i said before. You should try to recover part of the logs files from the hard disk, if you want to see exactly what happened.
El Mar 15 Mar 2005 12:01, Ivan Barrera A. escribió:Thank's for all the answers, if you know anything more about what could have been the attack I would like to hear about it.I'm almost sure as you said, it was a php-insecure page related xploit. r0nin is a common script to use, and upload. (i fix lots of clients computers with this). Aa logs are gone, it is difficult to determine the exact way they hacked into the machine, unless, you try to seach trough the disk (if the didn't zero it out).- Take a look at your sites. I've found that a common denominator for this situation are : phpNuke (specially when using that eGallery crap), phpBB, Cpanel default configuration, sites that upload files using global vars (register_global = on), and so on.. Unfortunally, internet is plagued by those damn kiddiez, who dont do anything useful. Just get into your box (using some pointer, or scripts out there), and start placing some files, DoS to other networks, or just installing lots of irc-bots. Some more advanced guys, replace system files (which keeps changing other executables to keep the systems vulnerable), sniff users/password of the machine/lan, sniff packets in search of a credit card number, etc. Common places for installing "hack" utils : /var/tmp /tmp /dev/shm /dev/" " (or more spaces...) /dev/... (or more dots, or with spaces) /dev/someunknowndir /usr/share/locale (i've seen lots using sk under that path) /" " (or more spaces) (in cpanel machines) /usr/local/cpanel/proxy /usr/local/cpanel/ (almost any of the dirs. under that ) (obviously, there a lot's more.. but almost every machine i fix, had this directories compromised) Some simple stuff : link /var/tmp to /tmp mount tmp as noexec, and some other restrictive permissions mount /dev/shm as noexec (this is to bug the kiddiez, they can use lots of other directories) using selinux is kinda complex, but gives lots of other options. How to see if you are hacked : if in redhat fedora, the common package to get changes are psmisc procps net-tools and util-linux rpm -VVV all of those packages. (if you dont have ps,lsof, and netstat changed) see the processes running (ps axuf) see the ports open (netstat -ln) and process who opened them (netstat -lntup) run lsof. Look at any port/file suspicios. There are lots more to do... But if you can, better to reinstall from scratch. (it happened to me 2 days ago. i installed a new server with default installation. went home, and it was hacked already. My fault for letting ssh1 open, and a soft root password).--- Dennis Speekenbrink <d.g.speekenbrink@xxxxxxxxxxxxxxx> wrote:Hi, Please keep in mind that I'm not a security expert. Something about this says that they did not get root access to the machine. Are you absolutely sure that "root-only" files we're changed? Reasons for my thinking are: The rogue processes are running under the Apache user (why not root?) You can still log in. (usually root-exploits change the root password first thing, sadly speaking from my own experience) The rogue processes are located in /tmp which is world-writeable. If access was gained through Apache, and it was indeed running as an un-priviledged user, then they would need a second exploit to raise their access level to root. By default a security breach in apache should only compromise anything that Apache can touch. On the other hand: If you're logged in and the 'who' command shows absolutely nobody, then it is obviously at fault. If non-writeable files we're modified then an Apache / php exploit alone couldn't have done it. If system logs we're deleted that is almost certainly an indicator of a root-exploit. If you conclude that root-access was indeed gained, then the machine must be considered lost. Do not try to repair it, as you can never be sure you removed all traces of the attacker. If you assume that it was only a apache / php exploit then repair is possible but a reinstall might be safer. Good luck! Dennis p.s. if you have an off-site backup or remote logging try comparing data to see what has changed.---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx___________________________________________________________ 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|