From: dan <info@xxxxxxxxxxxxxxxx> To: users@xxxxxxxxxxxxxxxx Date: Monday, March 21, 2005, 10:41:11 PM Subject: [users@httpd] I've been hacked, I need some help please... Monday, March 21, 2005, 10:41:11 PM, you wrote: > John wrote: >> From: dan <info@xxxxxxxxxxxxxxxx> >> To: users@xxxxxxxxxxxxxxxx >> Date: Monday, March 21, 2005, 10:30:38 PM >> Subject: [users@httpd] I've been hacked, I need some help please... >> >> >> >> Monday, March 21, 2005, 10:30:38 PM, you wrote: >> >> > John wrote: >> >>>>From: cron@xxxxxxxxxx <cron@xxxxxxxxxx> >>>>To: <users@xxxxxxxxxxxxxxxx> >>>>Date: Monday, March 21, 2005, 9:45:51 PM >>>>Subject: [users@httpd] I've been hacked, I need some help please... >>>> >>>> >>>> >>>> Monday, March 21, 2005, 9:45:51 PM, you wrote: >>>> >>>> > I got the same problem one month ago, I was running awstas(log statistics), >>>> >>>> >>>>>anyway, they got access to /tmp wrote some files and execute the telnet >>>>>program at first I thought well this cant be firewall blocks everything >>>>>except port 80, I found the code for the exploit and bad news, the exploit >>>>>connect to a remote machine and give a telnet shell on the remote machine >>>>>after that I'm blocking outgoing port too. To bad for me and my laziness. >>>>>Those stupid thing make me work 28 hs non stop. >>>> >>>> >>>> >>>> >>>>>Also found allot of backdoors i don't know if was working at all but >>>>>running in ports already in use like port 80 and 21 and lots of modified >>>>>files like ps, who, ftpwho and some freaking ftp server (gssftp) witch with >>>>>some very weird install instruction gave root access to remote users. At >>>>>this point i was sure it was a script-kidie but found evidence of more than >>>>>one attackers. >>>> >>>> >>>> >>>> >>>>>My point is i could NEVER fell save just fixing things. So reinstalled. >>>> >>>> >>>> >>>> >>>>>Angelo >>>> >>>> >>>>>----- Original Message ----- >>>>>From: "Ivan Barrera A." <Bruce@xxxxxx> >>>>>To: <users@xxxxxxxxxxxxxxxx> >>>>>Sent: Wednesday, March 16, 2005 9:51 AM >>>>>Subject: Re: [users@httpd] I've been hacked, I need some help please... >>>> >>>> >>>> >>>>So you think that was an awstats exploit that let the intruder to >>>>install the telnet program? >>>> >>>>Which awstats version you were using? >>>> >>>>Thanks in advance >>>> >>>>John >>>> >> >> >>>This is a known exploit that affects awstats-6.2. It can be fixed by >>>either setting AllowToUpdateStatsFromBrowser = 0, or to upgrade to 6.3. >> >> >>>I guess a lot of people have been hit hard by this. THat's too bad, >>>because awstats was, and maybe still is, a very useful tool. It's a >>>shame to think of how other people see it now. >> >> >>>Thanks >>>-dant >> >> > You're using a Band-aide(R) on a deep wound. Although you would have to > bypass the HTTP Auth to exploit this, it's still exploitable however you > look at it. > awstats can also be run on the command-line, so anyone who has remote > access to that system will be able to exploit this hole, as well. > Your best bet is just to upgrade. It's as simple as grabbing the new > distribution and extracting it over the old one. Backup your config > files before attempting this. > Thanks > -dant > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx Alright, and what about the awstats lib, where awstats keeps its archive. Will new version be able to read that and render the stats analysis? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|