Re: [users@httpd] I've been hacked, I need some help please...

[dan <info@xxxxxxxxxxxxxxxx>]

John wrote:
> From: dan <info@xxxxxxxxxxxxxxxx>
> To: users@xxxxxxxxxxxxxxxx
> Date: Monday, March 21, 2005, 10:30:38 PM
> Subject: [users@httpd] I've been hacked, I need some help please...
>
>
>
>   Monday, March 21, 2005, 10:30:38 PM, you wrote:
>
>   > John wrote:
>
> > > From: cron@xxxxxxxxxx <cron@xxxxxxxxxx>
> > > To: <users@xxxxxxxxxxxxxxxx>
> > > Date: Monday, March 21, 2005, 9:45:51 PM
> > > Subject: [users@httpd] I've been hacked, I need some help please...
> > >
> > >
> > >
> > >  Monday, March 21, 2005, 9:45:51 PM, you wrote:
> > >
> > >  > I got the same problem one month ago, I was running awstas(log statistics),
> > >
> > >
> > > > anyway, they got access to /tmp wrote some files and execute the telnet
> > > > program at first I thought well this cant be firewall blocks everything
> > > > except port 80,  I found the code for the exploit and bad news, the exploit
> > > > connect to a remote machine and give a telnet shell on the remote machine
> > > > after that I'm blocking outgoing port too. To bad for me and my laziness.
> > > > Those stupid thing make me work 28 hs non stop.
> > >
> > >
> > >
> > >
> > > > Also found allot of backdoors i don't know if  was working at all but
> > > > running in ports already in use like port 80 and 21 and lots of modified
> > > > files like ps, who, ftpwho and some freaking ftp server (gssftp) witch with
> > > > some very weird install instruction gave root access to remote users. At
> > > > this point i was sure it was a script-kidie  but found evidence of more than
> > > > one attackers.
> > >
> > >
> > >
> > >
> > > > My point is i could NEVER fell save just fixing things. So reinstalled.
> > >
> > >
> > >
> > >
> > > > Angelo
> > >
> > >
> > > > ----- Original Message ----- 
> > > > From: "Ivan Barrera A." <Bruce@xxxxxx>
> > > > To: <users@xxxxxxxxxxxxxxxx>
> > > > Sent: Wednesday, March 16, 2005 9:51 AM
> > > > Subject: Re: [users@httpd] I've been hacked, I need some help please...
> > >
> > >
> > >
> > > So you think that was an awstats exploit that let the intruder to
> > > install the telnet program?
> > >
> > > Which awstats version you were using?
> > >
> > > Thanks in advance
> > >
> > > John
>
>
> > This is a known exploit that affects awstats-6.2.  It can be fixed by
> > either setting AllowToUpdateStatsFromBrowser = 0, or to upgrade to 6.3.
>
>
> > I guess a lot of people have been hit hard by this.  THat's too bad,
> > because awstats was, and maybe still is, a very useful tool.  It's a
> > shame to think of how other people see it now.
>
>
> > Thanks
> > -dant

You're using a Band-aide(R) on a deep wound.  Although you would have to 
bypass the HTTP Auth to exploit this, it's still exploitable however you 
look at it.

awstats can also be run on the command-line, so anyone who has remote 
access to that system will be able to exploit this hole, as well.

Your best bet is just to upgrade.  It's as simple as grabbing the new 
distribution and extracting it over the old one.  Backup your config 
files before attempting this.

Thanks
-dant

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx