Re: [users@httpd] Machine compromised via apache 2.0.54... I think.

Ricardo Stella <stella@xxxxxxxxx> · Tue, 27 Sep 2005 11:48:49 -0400

The fact you got hacked means that whatever happened before is still
hapenning.  That is, are you sure you don't have any odd cgi scripts
running that could be easily compromised ?

Yes, there are zero day exploits, but make sure all your other related
apps. are up to date.  Ie, you could have old ssl libraries and then ssh
or even apache ssh could be exploited...

My .02...

System Administrator wrote:

>Because of many recent attacks on my machines in the last few months,
>I built a new machine using a processor with a No-Execute bit.  I put
>all my sites on there with Apache 2.0.54 and patched everything to
>date.  I only allow port 80, 443, ftp and ssh to reach the machine. 
>There is only one user on the machine, me.  The FTP authentication is
>handled by an NcFTPd internal database.  The other day, my machine was
>flooding the network and nothing worked.  I checked top and there was
>a perl script called leet.pl running.  I did a find and there were
>several perl scripts owned by user apache in my /tmp.  They all seemed
>to be connect-back scripts.
>
>I'm no expert on security, but it seems odd to me that a remote user
>could use apache to write to my /tmp directory and then execute the
>script.  Any idea how this happened?  How do I prevent it in the
>future?  How do I sterilize my machine?
>
>Thanks for the help.
>
>Farmer J
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
>For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
>  
>

-- 

°(((=((===°°°(((===========================================