I 've been hacked, I need some help please... 2005-03-15 - By Francisco Hidalgo Sol?
OS, Gentoo Linux, recently upgraded (some days ago) to
the latest versions of what Gentoo developers consider
stable. The PHP scripts running, various versions of
phpBB, PHPmyadmin (secured), I think that there is a
PHPnuke there too...
I don't know the suspicios, but my brother instaled
some days ago a modification of the popular blog
software "world press", and he was with speed problems
in that script, everithing in my sites worked fine.
Now that I think of it, maybe thats the suspect number
one.
--- Paul <paul@(protected)> escribi??:
> I would be interested in what OS you were running
> Apache on and what
> PHP scripts you thought were suspect.
> On Tuesday, March 15, 2005, at 09:22 AM, Francisco
> Hidalgo Sol?? wrote:
>
> > Yes, I'm sure root only files were changed, as my
> > complete log directory that is gone.
> Unfortunatelly,
> > or fortunatelly, this is my home machine hosting
> some
> > sites of friends, so I never worried that much for
> > security, only the normal things. I wasn't doing
> > remote logging either so I have no idea what
> happened.
> > I came to the same conclussion as you and other
> > people, I must reinstall everything to be sure.
> But
> > this post is mainly an attempt to be able to
> discover
> > what happened and if this was a security hole in
> this
> > specific version of apache or any other thing. So
> I
> > know what to do on my new installation.
> > I will start with Ivan Barrera's suggestions,
> chrooted
> > apache, mod_security maybe selinux, but this
> bothers
> > me so much, since this is only my home machine and
> I
> > don't want to spend that much time in it...
> > The first thing is remote logging, since I use
> > syslog-ng in all my machines this should be very
> easy.
> > Thank's for all the answers, if you know anything
> more
> > about what could have been the attack I would like
> to
> > hear about it.
> >
> >
> > --- Dennis Speekenbrink
> > <d.g.speekenbrink@(protected)> wrote:
> >> Hi,
> >>
> >> Please keep in mind that I'm not a security
> expert.
> >>
> >> Something about this says that they did not get
> root
> >> access to the machine.
> >> Are you absolutely sure that "root-only" files
> we're
> >> changed?
> >>
> >> Reasons for my thinking are:
> >> The rogue processes are running under the Apache
> >> user (why not root?)
> >> You can still log in. (usually root-exploits
> change
> >> the root password
> >> first thing, sadly speaking from my own
> experience)
> >> The rogue processes are located in /tmp which is
> >> world-writeable.
> >> If access was gained through Apache, and it was
> >> indeed running as an
> >> un-priviledged user, then they would need a
> second
> >> exploit to raise
> >> their access level to root. By default a security
> >> breach in apache
> >> should only compromise anything that Apache can
> >> touch.
> >>
> >> On the other hand:
> >> If you're logged in and the 'who' command shows
> >> absolutely nobody, then
> >> it is obviously at fault.
> >> If non-writeable files we're modified then an
> Apache
> >> / php exploit alone
> >> couldn't have done it.
> >> If system logs we're deleted that is almost
> >> certainly an indicator of a
> >> root-exploit.
> >>
> >> If you conclude that root-access was indeed
> gained,
> >> then the machine
> >> must be considered lost.
> >> Do not try to repair it, as you can never be sure
> >> you removed all traces
> >> of the attacker.
> >> If you assume that it was only a apache / php
> >> exploit then repair is
> >> possible but a reinstall might be safer.
> >>
> >> Good luck!
> >>
> >> Dennis
> >>
> >> p.s. if you have an off-site backup or remote
> >> logging try comparing data
> >> to see what has changed.
> >>
> >>
> >>
> >>
> >>
> >>
> >
>
---------------------------------------------------------------------
> >> The official User-To-User support forum of the
> >> Apache HTTP Server Project.
> >> See <URL:http://httpd.apache.org/userslist.html>
> for
> >> more info.
> >> To unsubscribe, e-mail:
> >> users-unsubscribe@(protected)
> >> " from the digest:
> >> users-digest-unsubscribe@(protected)
> >> For additional commands, e-mail:
> >> users-help@(protected)
> >>
> >>
> >
> >
> >
> >
> >
> >
> >
>
___________________________________________________________
> > 250MB gratis, Antivirus y Antispam
> > Correo Yahoo!, el mejor correo web del mundo
> > http://correo.yahoo.com.ar
> >
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the
> Apache HTTP Server
> > Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for more info.
> > To unsubscribe, e-mail:
> users-unsubscribe@(protected)
> > " from the digest:
> users-digest-unsubscribe@(protected)
> > For additional commands, e-mail:
> users-help@(protected)
> >
>
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@(protected)
> " from the digest:
> users-digest-unsubscribe@(protected)
> For additional commands, e-mail:
> users-help@(protected)
>
>
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ?gratis!
?Abr?? tu cuenta ya! - http://correo.yahoo.com.ar
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@(protected)
" from the digest: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
