Re: Someone hacked my apache2 server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Morgan
I did not have Tripwire installed. Will do that :) The problem is that I can't find the files that were modified. As I indicated in the initial email, the hackers page  started to show up at some point, then STOPPED, then, in 20 minutes started again, nd then stopped again. After that I shut down apache. So, I am even clueless where to search for the logs.

The only thing that is relevant to the attach is this:

mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:17 -0500] "GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:18 -0500] "GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wind
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:19 -0500] "GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:20 -0500] "GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:20 -0500] "GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:21 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:22 -0500] "GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:22 -0500] "GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:23 -0500] "GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.
mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:24 -0500] "GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi

So, I suspect that the vulnerablity might have been in the phpmyadmin. Could it be there? Or is the chaler was trying to find the most common ways to get in?

Oleg.

On Sun, Apr 4, 2010 at 3:28 AM, Morgan Gangwere <0.fractalus@xxxxxxxxx> wrote:
On 4/3/2010 4:24 PM, Oleg Goryunov wrote:

THe problem is that I do not see any files changed on the server (and
thus cannot check the owner of them). Where should I look for the
possible evidence of someone else being there?

Do you have Tripwire installed?
If so, just look at its logs :)

Otherwise, I'd look carefully at the dates that things were modified. you *do* have backups, right?

--
Morgan Gangwere

>> Why?
> Because it breaks the logical flow of conversation, plus makes messages unreadable.
>>> Top-Posting is evil.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux