I 've been hacked, I need some help please... 2005-03-15 - By Dennis Speekenbrink
Hi,
Please keep in mind that I'm not a security expert.
Something about this says that they did not get root access to the machine.
Are you absolutely sure that "root-only" files we're changed?
Reasons for my thinking are:
The rogue processes are running under the Apache user (why not root?)
You can still log in. (usually root-exploits change the root password
first thing, sadly speaking from my own experience)
The rogue processes are located in /tmp which is world-writeable.
If access was gained through Apache, and it was indeed running as an
un-priviledged user, then they would need a second exploit to raise
their access level to root. By default a security breach in apache
should only compromise anything that Apache can touch.
On the other hand:
If you're logged in and the 'who' command shows absolutely nobody, then
it is obviously at fault.
If non-writeable files we're modified then an Apache / php exploit alone
couldn't have done it.
If system logs we're deleted that is almost certainly an indicator of a
root-exploit.
If you conclude that root-access was indeed gained, then the machine
must be considered lost.
Do not try to repair it, as you can never be sure you removed all traces
of the attacker.
If you assume that it was only a apache / php exploit then repair is
possible but a reinstall might be safer.
Good luck!
Dennis
p.s. if you have an off-site backup or remote logging try comparing data
to see what has changed.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@(protected)
" from the digest: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
