John Hammer <jhammer@xxxxxxxx> writes:
> I am relatively new to this so if this is not the correct forum I would appreciate being pointed to the right place.
>
> Over the weekend I discovered an unwanted program running on my server. In the error_log I found this entry:
>
>> --13:29:54-- http://www.ozdereklam.com/.xpl/dc.txt
>> => `/tmp/dc.txt'
>> Resolving www.ozdereklam.com... 82.222.180.120
>> Connecting to www.ozdereklam.com[82.222.180.120]:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 943 [text/plain]
>>
>> 0K 100% 4.62 KB/s
>>
>> 13:29:55 (4.62 KB/s) - `/tmp/dc.txt' saved [943/943]
>>
>
> Is this a problem that can be solved with Apache? How can I keep files from being uploaded in this way (and I am not sure what that "way" is).
My best guess is that somebody has exploited a bug in one of your CGI
scripts in a way that allowed them to execute arbitrary code, and they
elected to have this arbitrary code download this dc.txt file, using
wget it looks like. The solution is to find and fix your buggy CGI
program(s), or to disable executable content from Apache.
If you look in your access_log around the time of that error_log
entry, you can probably narrow down which programs might be allowing
this.
mod_security is supposed to be able to protect against some of these
attacks:
http://www.modsecurity.org/
but I haven't used it, and really the buggy programs should be fixed
anyways. Still, it might help.
Good luck,
----ScottG.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|