I 've been hacked, I need some help please... 2005-03-15 - By Ivan Barrera A.
> I have apache-2.0.52 and all my main pages were
> changed to a HTML message written in WORD!!! (that for
> sure says it was a script kiddie)
> I think they got root access since all my log
> directory is gone and they rewrote all index.* files
> from all my filesystem directories with their own
> message, I've found two process running under the user
> "apache", they are "r0nin" and "brk".
I see this all the time
You are right, you were hacked with an insecure php script. And probably
with an insecure version of phpBB.
> The "who" command shows nothing, so it seems it was
> changed. I've found some info on "r0nin" exploit but
> nothing on "brk", both files are in /var/tmp. There
> are also other files in /var/tmp, they are "dc"
> (executable), b.tgz and edy.tgz.
> As I said before, my major concern is root access. I'm
> almost sure they got in with an insecure PHP script,
> but as I see it (I could be wrong), this shouldn't be
> a major problem, that can run scripts with the
> unprivileged account "apache" but thats all,
> nonetheless they got root access from that
> unprivileged account.
If you have and outdates/unpatched kernel, you can fire up some race
conditions and get root easily with an unprivileged account.
> Any ideas?, I don't know what to do. I've read that
> the r0nin script opens a telnet session in port 1666,
> but this cant be the problem, since this port is
> blocked by the firewall and they would get an
> unprivileged telnet access anyway, right?, I didn't
> find any info about the other scrips, I still have
> them there if you need any other info.
> Thank you very much.
MMh...
Start with bloking incoming connections. Remove those scripts, point
your temp dirs to one with noexec propierties (sometimes those damn
kiddiez uses /dev/shm, so put it as noexec sometimes works), you will
have to search all over your system for modified files (using
redhat/fedora is simple, running rpm -VVV for each pkg).
The best, is to start with a clean system, running all the security you
can. SELinux is good although kinda hard. mod_security, use chrooted
environment, etc...
>
> Francisco
>
>
>
>
>
>
> ___________________________________________________________
> 250MB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> http://correo.yahoo.com.ar
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> " from the digest: users-digest-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@(protected)
" from the digest: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
