I 've been hacked, I need some help please... 2005-03-15 - By Paul
I would be interested in what OS you were running Apache on and what
PHP scripts you thought were suspect.
On Tuesday, March 15, 2005, at 09:22 AM, Francisco Hidalgo Sol? wrote:
> Yes, I'm sure root only files were changed, as my
> complete log directory that is gone. Unfortunatelly,
> or fortunatelly, this is my home machine hosting some
> sites of friends, so I never worried that much for
> security, only the normal things. I wasn't doing
> remote logging either so I have no idea what happened.
> I came to the same conclussion as you and other
> people, I must reinstall everything to be sure. But
> this post is mainly an attempt to be able to discover
> what happened and if this was a security hole in this
> specific version of apache or any other thing. So I
> know what to do on my new installation.
> I will start with Ivan Barrera's suggestions, chrooted
> apache, mod_security maybe selinux, but this bothers
> me so much, since this is only my home machine and I
> don't want to spend that much time in it...
> The first thing is remote logging, since I use
> syslog-ng in all my machines this should be very easy.
> Thank's for all the answers, if you know anything more
> about what could have been the attack I would like to
> hear about it.
>
>
> --- Dennis Speekenbrink
> <d.g.speekenbrink@(protected)> wrote:
>> Hi,
>>
>> Please keep in mind that I'm not a security expert.
>>
>> Something about this says that they did not get root
>> access to the machine.
>> Are you absolutely sure that "root-only" files we're
>> changed?
>>
>> Reasons for my thinking are:
>> The rogue processes are running under the Apache
>> user (why not root?)
>> You can still log in. (usually root-exploits change
>> the root password
>> first thing, sadly speaking from my own experience)
>> The rogue processes are located in /tmp which is
>> world-writeable.
>> If access was gained through Apache, and it was
>> indeed running as an
>> un-priviledged user, then they would need a second
>> exploit to raise
>> their access level to root. By default a security
>> breach in apache
>> should only compromise anything that Apache can
>> touch.
>>
>> On the other hand:
>> If you're logged in and the 'who' command shows
>> absolutely nobody, then
>> it is obviously at fault.
>> If non-writeable files we're modified then an Apache
>> / php exploit alone
>> couldn't have done it.
>> If system logs we're deleted that is almost
>> certainly an indicator of a
>> root-exploit.
>>
>> If you conclude that root-access was indeed gained,
>> then the machine
>> must be considered lost.
>> Do not try to repair it, as you can never be sure
>> you removed all traces
>> of the attacker.
>> If you assume that it was only a apache / php
>> exploit then repair is
>> possible but a reinstall might be safer.
>>
>> Good luck!
>>
>> Dennis
>>
>> p.s. if you have an off-site backup or remote
>> logging try comparing data
>> to see what has changed.
>>
>>
>>
>>
>>
>>
> ---------------------------------------------------------------------
>> The official User-To-User support forum of the
>> Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for
>> more info.
>> To unsubscribe, e-mail:
>> users-unsubscribe@(protected)
>> " from the digest:
>> users-digest-unsubscribe@(protected)
>> For additional commands, e-mail:
>> users-help@(protected)
>>
>>
>
>
>
>
>
>
> ___________________________________________________________
> 250MB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> http://correo.yahoo.com.ar
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> " from the digest: users-digest-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@(protected)
" from the digest: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
