If you google admin_styles.php you'll find it's a known phpBB hack. Update, replace, or disable the phpBB boards and change all passwords. ----- Original Message ----- From: "Mathew Thomas" <mathew.thomas@xxxxxxxxxxx> To: <users@xxxxxxxxxxxxxxxx> Sent: Sunday, May 08, 2005 8:00 PM Subject: Re: [users@httpd] Hacked the website replace the index.hm page Hi Tim, The intruder replaced only two index.htm files. There is no evidence that the server has been hacked other than two index.htm file has been replaced. The phpBB websete is owned by different user and group than the site which has been hacked. The following is from the access.log. ( The hacked replaced the index.htm with one line of text. 201.128.21.202 - - [08/May/2005:08:05:43 +1000] "GET /virtualforum//admin/admin_styles.php?mode=addnew&in stall_to=../../../../../../../../../../../../../../../../../../../tmp&nigga= system(\"cd%20/web/departments/student;echo%20XTech%20Inc%20ownz%20-%20stude nts%20-%20y0u%20suck%20>index.shtml\");&sid=655f5166e6110dc5959fe46a96192331 HTTP/1.1" 200 7976 Thanks Mathew >>> tim@xxxxxxxxx 9/05/05 9:24:23 >>> Ok. What evidence do you have that it was a hack? (as opposed to, say, FTP passwords getting out somehow). And, by any chance, do the sites that were hacked share any passwords with accounts on any of the phpBB installations? And, with what were the index files replaced? ----- Original Message ----- From: "Mathew Thomas" <mathew.thomas@xxxxxxxxxxx> To: <users@xxxxxxxxxxxxxxxx> Sent: Sunday, May 08, 2005 7:15 PM Subject: Re: [users@httpd] Hacked the website replace the index.hm page Hi Tim, Thanks for the reply. Yes, couple of virtual hosts are running phpPBB. The website which have been hacked are not using PHP,mysql or ssl. Thanks Mathew >>> tim@xxxxxxxxx 9/05/05 8:56:04 >>> We'll probably need more details. You running phpBB anywhere? ----- Original Message ----- From: "Mathew Thomas" <mathew.thomas@xxxxxxxxxxx> To: <users@xxxxxxxxxxxxxxxx> Sent: Sunday, May 08, 2005 6:49 PM Subject: [users@httpd] Hacked the website replace the index.hm page Hi All, We are running apache_1.3.32 with mod_ssl, mySQL and PHP. OS is Solaris 9. Apache is running with User httpd Group http Most of the Documentroot is owned by httpd.( There are several virtualhost running on this server) its-wu-web:departments# ps -ef | grep http httpd 18168 24970 0 00:00:02 ? 0:04 /usr/local/apache/bin/httpd -DSSL httpd 16498 24970 0 08:39:24 ? 0:00 /usr/local/apache/bin/httpd -DSSL httpd 16492 24970 0 08:39:24 ? 0:00 /usr/local/apache/bin/httpd -DSSL httpd 15664 24970 0 08:28:56 ? 0:00 /usr/local/apache/bin/httpd -DSSL httpd 16488 24970 0 08:39:23 ? 0:00 /usr/local/apache/bin/httpd -DSSL httpd 18182 24970 0 00:00:07 ? 0:04 /usr/local/apache/bin/httpd -DSSL Some how couple of the website was hacked and replaced the index.htm pages. How can I prevent it happen again? Thanks Mathew --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|