Re: Someone hacked my apache2 server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm afraid I do not have WAF...
Oleg.

On Sun, Apr 4, 2010 at 6:55 AM, Gil Vidals <gvidals@xxxxxxxxx> wrote:
Oleg,

What kind of web application firewall (WAF) are you running on your web servers? If the answer is "none", then you will have many problems with malware and hackers.  You must have proper security. Google "mod_security" or hire a web security guy to take care of your servers for you.

Gil Vidals
www.vmracks.com


On Sat, Apr 3, 2010 at 2:20 PM, Oleg Goryunov <oleg.goryunov@xxxxxxxxx> wrote:

Hello all,
It looks like someone hacked my apache2 server and I am trying to understand how this could have happened.
This is what happened:
All of a sudden the server - in response to a web-browser request for a page - started to give a full screen of unknown characters (looked like a long text with encoding mismatch).
The output was immediate and the same for all the web-sites located on the server.
Looking at the page source of the output I see the following:
=========

<iframe src="">  http://a z s x d e 5 5 . 9 9 6 6 . org:8800/ak47/29.html width=1 height=1></iframe> Л ������ э[сn8 ■▌√ \-{ ╘Ц '&q I щ]╙ф╥l{√ла$fCС*I┘ёс цЮхЮьf(╩Ц 9N-о╗pА─ 9№f8Ь  З╩ЁУєул▀.^СЙM °їхЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!¤nП\i*
 

\I*┬Ё╒█А  k¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6      ОЖО▀M*д9lAщяээ ГГгн"╤╛аr| 0 G й=  г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
M
ЮeJn  ║Б)│ФрРЬєщa +iЩ┤ ;X@№a`┘Н
q
р Й'T f s;ъ<псHЪ▓├@лHYS enЮТС BZ \∙Lщд:фУRйаO╔▀▄g ╦ни╩ўю╫ЛЛє╦л JЪ█Й╥ I%7░К o
 
H
ШЙ5p}+г
I
' b'М$sах1A}RAШ s ХI9АдT1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*1# ∙lБ\B:e y  ├т ; Ч╫▐,B ! 2 ." )   ═─a`@Y6-┴ЎАа
ж└1╝щ m BIЮ└Щ╟':еEk@МОБg Nb■с' жJYеДщ~2р4aA№h┤Ш║EjАm .&cчВЩ      cАqЧ bSyь┬SPХ─=├д        R пD ЖЕ o
 
#
Х╠Б═╔ыў$ @|H)ЧA)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤  \Є╤l№ 4#·У'C.3      аMU"╞Є#КБ89Х╚╦>ПхFGъ& Tj┐с  ·~ FZ∙d0KJ.ю      bE╔йь╜┼g      ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(8 Н3%┴ГCTE кЖxto H щ█Ж!- Ф^  A#А╕ tI9kЗ▒UNm~╩З;? Аv \ 8K═їbФ7а5C4│╣^z3x█ПO_Nc∙ПЬЮ^┌шdЎaW^|xЯп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$^ э ╔ВK бЖ!┌╣є8Ёз║WYХбS  ┼Ё█я pеqз ЄtьГPлЫє0ъО∙ha :"V сг╞i Z@ Yў■ЕY,Р`- FE4Юa. ё Жv0и  Ї ^ЎdTуц┬A>t╨╡┘  ЩМ╩г╙є│W }ё+ fUXЗўs  -wвR FН╕5d ░Ч╛▒
 
 
~
ёY вТ аY tlkачоЭ`√- mсЁ╠ .   ╣н┌Г■{ х?ъ  uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m  ╣Ь* 35eza▒крпх{ь#eч:х>_┴Гъx  1°/л1xQщ╕ ╝вУжEФ,".`н╞г\║нмa E'YЇоЫ╚▐
.Z
х А:эl.Л▐{│┘юн`уRЭ ─Ь °Kt╠йш$hH │╖║  -д╚Ъ,i╔ТvЭ ¤"H пч¤Ў№° LW0Нsc u R%ъ4Yf5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r ы╖  YR∙<} ю О╕д╥-q _╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°{З╗чП
 
w
ШA┼╣╓ю4RўsFз╠╣{ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа &28
^
@O}у:f -AпеЪ      ЦМ Ю┘k пЎ▄{щ·/UїЫq$aйк╔xЄъь| 5  1 И Яєцц|  woя 4унc?dLM#гxl┐┐J╖┐аJЫa
v*чї8x~vётэow+v\ П dJ!  ·_,Ъ╫Шъа KрФ Г ь*ъY╤╢ r┼м1С4Н8<kaЁ█CЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.& |  ПжtXО┤╤¤ЖНАD▄┘Й ю╕r ¤
 
KV$
Ч      ╙ШлWН'8z▒Р█ ЖkYEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f > Ж ?>  ы'ci в╫iЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +бЇ>∙бч~ И;ўL  Oь>Сp╚етА8<мГьУ■ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА¤ЬГ.эЬ°]Х ▄щсМ├
 
би╝9сй+B  A& -ЧnдUXuu вF В )Odф
с b6Щ ХkByКПV!╔Ф'!DUСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй sOznЖ├HУЁш ╪┤L SАД(      мм&Z3NvJp шhw]

 
С▌┴ iяяАm 47шbеzqhКФЕ┤╜N&-
 *X;T
уМСDэ{.X╟жКY╓р nbgl╦═E$S У═Зр q      K#К3Fб:·1  З ёqо]П█rА n:▀А╨ Ы╔Е;Лz0╕╩5С╤Д╤R      Ыr

┐Яyy4 >╚ЁН){ЕЩ(х4╘╨   х У |ЇY8°yzЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q j ╒╢B  ╡ь< ╪э*ЫГБe ЕkT|└э -ЎZ ╝╫╠▄= 4Q├╛@Ё╘ └Ю"ЛН┼LxЦA╪е╞н цмВY ёJф╢ЪЇ╓ ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a  ▓▐  69   АoX;wц ыlэ╡s   YИLШ@   √C Zь рЄБPcЧa)gУeхд4NH  /!cСДеР┤ й╔гФCъ .9+єЫ┐╪      ф5X р 6<ч▒┼Ъ$╨т╥▒ИСЄ╥ №uaМtЄХ^ЁW?Kў╖2 ймУр╓4Р E

==================
The address indicated in the begining of the page code leads to some chinese server.


So, somehow it happened that the output of the apache server was substituted by this page, which redirected visitors to some chinese server. It is the second time I am posting to the mailing list, the first time the mailing list virus scanner identified the content as having the Troj/Fujif-Gen virus, thus, this time I removed active links from the message body so it is not exactly what I received).



But the most strange thing was that the problem dissapeared itself! So, it last for 10 minutes then disappeared! And the again started and again dissapeared. Finally, I turned down apache untill I understand what is going on...

Any idea how could that happen?  How to reproduce this? How to prevent?
Where to look for logs? I have check both ssh logs and apache logs, there is nothing that could seem unusual there...

Any help is appreciated.
Oleg.




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux