From: dan <info@xxxxxxxxxxxxxxxx> To: users@xxxxxxxxxxxxxxxx Date: Monday, March 21, 2005, 10:30:38 PM Subject: [users@httpd] I've been hacked, I need some help please... Monday, March 21, 2005, 10:30:38 PM, you wrote: > John wrote: >> From: cron@xxxxxxxxxx <cron@xxxxxxxxxx> >> To: <users@xxxxxxxxxxxxxxxx> >> Date: Monday, March 21, 2005, 9:45:51 PM >> Subject: [users@httpd] I've been hacked, I need some help please... >> >> >> >> Monday, March 21, 2005, 9:45:51 PM, you wrote: >> >> > I got the same problem one month ago, I was running awstas(log statistics), >> >>>anyway, they got access to /tmp wrote some files and execute the telnet >>>program at first I thought well this cant be firewall blocks everything >>>except port 80, I found the code for the exploit and bad news, the exploit >>>connect to a remote machine and give a telnet shell on the remote machine >>>after that I'm blocking outgoing port too. To bad for me and my laziness. >>>Those stupid thing make me work 28 hs non stop. >> >> >> >> >>>Also found allot of backdoors i don't know if was working at all but >>>running in ports already in use like port 80 and 21 and lots of modified >>>files like ps, who, ftpwho and some freaking ftp server (gssftp) witch with >>>some very weird install instruction gave root access to remote users. At >>>this point i was sure it was a script-kidie but found evidence of more than >>>one attackers. >> >> >> >> >>>My point is i could NEVER fell save just fixing things. So reinstalled. >> >> >> >> >>>Angelo >> >> >>>----- Original Message ----- >>>From: "Ivan Barrera A." <Bruce@xxxxxx> >>>To: <users@xxxxxxxxxxxxxxxx> >>>Sent: Wednesday, March 16, 2005 9:51 AM >>>Subject: Re: [users@httpd] I've been hacked, I need some help please... >> >> >> >> So you think that was an awstats exploit that let the intruder to >> install the telnet program? >> >> Which awstats version you were using? >> >> Thanks in advance >> >> John >> > This is a known exploit that affects awstats-6.2. It can be fixed by > either setting AllowToUpdateStatsFromBrowser = 0, or to upgrade to 6.3. > I guess a lot of people have been hit hard by this. THat's too bad, > because awstats was, and maybe still is, a very useful tool. It's a > shame to think of how other people see it now. > Thanks > -dant > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx I haven;t fixed that error in my awstats 6.2 but i used the .htaccess to restrict other users from viewing it. Is this a good sulution or i must upgrade that script ? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|