On Tue, 06 Sep 2005 08:47:04 -0700, news wrote:

> I happened to notice today that one of my Web sites was hacked.
> They somehow replaced my index.php with index.html with only the text
> "DigitalMind" in it.
> Actually, they just inserted index.html, and since my server processes
> index.html before index.php, the site displays that.
>
> So, how did they do this? More importantly, how do I prevent it from
> happening again?
> I guess I can contact my Web host and ask them to set it to only use
> index.php as the root page, but can they possibly replace MY index.php
> with THEIR index.php in the future?
>
> Thanks for any information!
> Oh, if it helps, I'm using RedHat ES 2.1 with Apache 1.3.33 (I believe.)

It isn't clear to me from your post if you are running apache on your own
server or on a hosting service. The first thing you should always do when
running something open to the world is keep it up to date. I think 1.3.x
apache is pretty old.

As far as how it was done, there are a lot of possibilities. A bug in
apache, a misconfiguration of apache, a bug in a cgi script or server
include, a security problem somewhere else in the system that allowed
someone to modify files...
Then there are attacks from the "inside"...