I 've been hacked, I need some help please... 2005-03-15 - By Muhammad Rizwan
Are you using any hosting control panel?
On Tue, 2005-03-15 at 18:41, Francisco Hidalgo Sol?? wrote:
> Hi, my apache web server has been hacked and they got
> root access, this is my major concern.
>
> I have apache-2.0.52 and all my main pages were
> changed to a HTML message written in WORD!!! (that for
> sure says it was a script kiddie)
> I think they got root access since all my log
> directory is gone and they rewrote all index.* files
> from all my filesystem directories with their own
> message, I've found two process running under the user
> "apache", they are "r0nin" and "brk".
> The "who" command shows nothing, so it seems it was
> changed. I've found some info on "r0nin" exploit but
> nothing on "brk", both files are in /var/tmp. There
> are also other files in /var/tmp, they are "dc"
> (executable), b.tgz and edy.tgz.
> As I said before, my major concern is root access. I'm
> almost sure they got in with an insecure PHP script,
> but as I see it (I could be wrong), this shouldn't be
> a major problem, that can run scripts with the
> unprivileged account "apache" but thats all,
> nonetheless they got root access from that
> unprivileged account.
> Any ideas?, I don't know what to do. I've read that
> the r0nin script opens a telnet session in port 1666,
> but this cant be the problem, since this port is
> blocked by the firewall and they would get an
> unprivileged telnet access anyway, right?, I didn't
> find any info about the other scrips, I still have
> them there if you need any other info.
> Thank you very much.
>
> Francisco
>
>
>
>
>
>
> ___________________________________________________________
> 250MB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> http://correo.yahoo.com.ar
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> " from the digest: users-digest-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@(protected)
" from the digest: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
