I 've been hacked, I need some help please... 2005-03-15 - By Francisco Hidalgo Sol?
Hi, my apache web server has been hacked and they got
root access, this is my major concern.
I have apache-2.0.52 and all my main pages were
changed to a HTML message written in WORD!!! (that for
sure says it was a script kiddie)
I think they got root access since all my log
directory is gone and they rewrote all index.* files
from all my filesystem directories with their own
message, I've found two process running under the user
"apache", they are "r0nin" and "brk".
The "who" command shows nothing, so it seems it was
changed. I've found some info on "r0nin" exploit but
nothing on "brk", both files are in /var/tmp. There
are also other files in /var/tmp, they are "dc"
(executable), b.tgz and edy.tgz.
As I said before, my major concern is root access. I'm
almost sure they got in with an insecure PHP script,
but as I see it (I could be wrong), this shouldn't be
a major problem, that can run scripts with the
unprivileged account "apache" but thats all,
nonetheless they got root access from that
unprivileged account.
Any ideas?, I don't know what to do. I've read that
the r0nin script opens a telnet session in port 1666,
but this cant be the problem, since this port is
blocked by the firewall and they would get an
unprivileged telnet access anyway, right?, I didn't
find any info about the other scrips, I still have
them there if you need any other info.
Thank you very much.
Francisco
___________________________________________________________
250MB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@(protected)
" from the digest: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
