From: cron@xxxxxxxxxx <cron@xxxxxxxxxx> To: <users@xxxxxxxxxxxxxxxx> Date: Monday, March 21, 2005, 9:45:51 PM Subject: [users@httpd] I've been hacked, I need some help please... Monday, March 21, 2005, 9:45:51 PM, you wrote: > I got the same problem one month ago, I was running awstas(log statistics), > anyway, they got access to /tmp wrote some files and execute the telnet > program at first I thought well this cant be firewall blocks everything > except port 80, I found the code for the exploit and bad news, the exploit > connect to a remote machine and give a telnet shell on the remote machine > after that I'm blocking outgoing port too. To bad for me and my laziness. > Those stupid thing make me work 28 hs non stop. > Also found allot of backdoors i don't know if was working at all but > running in ports already in use like port 80 and 21 and lots of modified > files like ps, who, ftpwho and some freaking ftp server (gssftp) witch with > some very weird install instruction gave root access to remote users. At > this point i was sure it was a script-kidie but found evidence of more than > one attackers. > My point is i could NEVER fell save just fixing things. So reinstalled. > Angelo > ----- Original Message ----- > From: "Ivan Barrera A." <Bruce@xxxxxx> > To: <users@xxxxxxxxxxxxxxxx> > Sent: Wednesday, March 16, 2005 9:51 AM > Subject: Re: [users@httpd] I've been hacked, I need some help please... So you think that was an awstats exploit that let the intruder to install the telnet program? Which awstats version you were using? Thanks in advance John --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|