Re: [users@httpd] Apache + AWSTATS = Vulnerability????

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/14/05, Anderson Miranda <anderson@xxxxxxxxxxxxxxxxxxxx> wrote:
> Kk, here is what I've got so far:
> 
> My system seems to be infected by some kind of trojan/worm/virus called
> Unix/Hacktop, wich does (for what I'm seeing) some kind of scanport via
> ssh (22).
> I found some related info saying that the intruder could be using a
> security flaw from AWSTATS + Apache to get a valid root bash session
> over port 80.
> 
> Now the intruder created a few files, infected some others and is using
> this scanport. I stopped the scanport by blocking the output of ssh in
> my iptables and could be able to erase some virus related files.
> 
> Now I want to know just 2 things:
> 
> First, how can I be sure that it all happened because of the awstats
> security flaw?

No way to be 100% certain, but examing your access log for funny calls
to your awstats cgi would be a good way to start.

> Second, how could I completely remove this Unix/Hacktop from my system
> (Linux RedHat9 k2.4) ?

Technically, this is impossible without a clean reinstall.  The
hacker/cracker could have replaced anything and everything.  He could
have replaced the "rm" binary so that it never deletes files that he
placed there.  He could have replaced "ls" so it doesn't show those
files.  He could have replaced iptables so that it allows in his IP no
matter what you configure.

But since most hackers aren't that smart, you might have some luck if
you can figure out what root kit was used and undo the damage.  But as
you mentioned, this isn't the best list to find help with that.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux