My apache is being hacked. :-(
This is a discussion on My apache is being hacked. :-( within the Apache Web Server forums, part of the Web Server and Related Forums category; Somehow my server is being hacked through Apache but I don't how they are getting in. The hackers upload ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-26-2004
|
|||
|
|||
My apache is being hacked. :-(
Somehow my server is being hacked through Apache but I don't how they are
getting in. The hackers upload files to my /tmp or /var/tmp directories, then they are able to execute the files that they upload. I have disabled the following in Apache: proxies and cgi but they are still getting in. Any ideas? I have discovered the following in Apache's error log. ###Following is a snip from me /var/log/httpd/error_log: ################ --02:09:07-- http://rootsystem.100free.com/sk.zip => `sk.zip' Resolving rootsystem.100free.com... done. Connecting to rootsystem.100free.com[64.156.241.133]:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://www.100free.com/404.html [following] --02:09:07-- http://www.100free.com/404.html => `404.html' Resolving www.100free.com... done. Connecting to www.100free.com[64.156.241.61]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 991 [text/html] 0K 100% 967.77 KB/s 02:09:08 (967.77 KB/s) - `404.html' saved [991/991] chmod: failed to get attributes of `sk.zip': No such file or directory --02:09:55-- http://rootsystem.100free.com/dcpl.zip => `dcpl.zip' Resolving rootsystem.100free.com... done. Connecting to rootsystem.100free.com[64.156.241.133]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 759 [application/zip] 0K 100% 741.21 KB/s 02:09:56 (741.21 KB/s) - `dcpl.zip' saved [759/759] ### End of snip ################ |
|
07-26-2004
|
|||
|
|||
|
Re: My apache is being hacked. :-(
Dan Eskildsen <danes@image.dk> wrote:
> ###Following is a snip from me /var/log/httpd/error_log: ################ > --02:09:07-- http://rootsystem.100free.com/sk.zip More than an error_log it looks like the log of an FTP or WGET session. Anyway, if your machine have been rootkitted or cracked, your only option is to reinstall it from scratch. A post-mortem examination could shed some light about how they got in, but first you have to shut them off. > 02:09:56 (741.21 KB/s) - `dcpl.zip' saved [759/759] Do you have something that allow people to 'upload' files to your system, and that 'something' doesn't check _where_ he is uploading to. Davide -- | Talkers are no good doers. | | | |
|
07-26-2004
|
|||
|
|||
|
Re: My apache is being hacked. :-(
> More than an error_log it looks like the log of an FTP or WGET session.
Agreed. But that snip is actually from my apache error log. I don't have a FTP server running. If they are using wget how can I stop that? > Anyway, if your machine have been rootkitted or cracked, your only > option is to reinstall it from scratch. A post-mortem examination could > shed some light about how they got in, but first you have to shut them > off. After getting the files uploaded they are able to execute them running as user wwwrun - so I don't think that they have gotten root access. I kill their processes and then delete them from /tmp or /var/tmp. A few days later they get in again. How could I carry out an examination to find out how they are getting in and so that I can plug the hole? > Do you have something that allow people to 'upload' files to your > system, and that 'something' doesn't check _where_ he is uploading to. No. Regards, Dan |
|
07-26-2004
|
|||
|
|||
|
Re: My apache is being hacked. :-(
Dan Eskildsen <danes@image.dk> wrote:
> I don't have a FTP server running. If they are using wget how can I stop > that? Blocking the referrer, but that can be faked, if they uses a block of specific ip addresses block those addresses in the firewall. > After getting the files uploaded they are able to execute them running as > user wwwrun How? If they upload the files in /tmp, apache shouldn't be able to run them in there, unless you have a really badly configured apache. > How could I carry out an examination to find out how they are getting > in and so that I can plug the hole? Examining very carefully the log files, what they do and what they call. > No. Yes, otherwise they wouldn't be able to upload stuff. Davide -- | There are three possibilities: Pioneer's solar panel has turned away | from the sun; there's a large meteor blocking transmission; or someone | loaded Star Trek 3.2 into our video processor. | |
|
07-27-2004
|
|||
|
|||
|
Re: My apache is being hacked. :-(
Dan Eskildsen wrote:
> Somehow my server is being hacked through Apache but I don't how they are > getting in. The hackers upload files to my /tmp or /var/tmp directories, > then they are able to execute the files that they upload. > > I have disabled the following in Apache: proxies and cgi but they are still > getting in. Any ideas? > > I have discovered the following in Apache's error log. > > > > > ###Following is a snip from me /var/log/httpd/error_log: ################ > --02:09:07-- http://rootsystem.100free.com/sk.zip > => `sk.zip' > Resolving rootsystem.100free.com... done. > Connecting to rootsystem.100free.com[64.156.241.133]:80... connected. > HTTP request sent, awaiting response... 302 Found > Location: http://www.100free.com/404.html [following] > --02:09:07-- http://www.100free.com/404.html > => `404.html' > Resolving www.100free.com... done. > Connecting to www.100free.com[64.156.241.61]:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 991 [text/html] > > 0K 100% 967.77 > KB/s > > 02:09:08 (967.77 KB/s) - `404.html' saved [991/991] > > chmod: failed to get attributes of `sk.zip': No such file or directory > --02:09:55-- http://rootsystem.100free.com/dcpl.zip > => `dcpl.zip' > Resolving rootsystem.100free.com... done. > Connecting to rootsystem.100free.com[64.156.241.133]:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 759 [application/zip] > > 0K 100% 741.21 > KB/s > > 02:09:56 (741.21 KB/s) - `dcpl.zip' saved [759/759] > > ### End of snip ################ > > You might want to install chkrootkit and scan for known rootkits on the system. Dan |
|
07-27-2004
|
|||
|
|||
|
Re: My apache is being hacked. :-(
> You might want to install chkrootkit and scan for known rootkits on the > system. Thanks for the tip. I installed chkrootkit (www.chkrootkit.org) and scanned but it did not find anything. I am still perplexed as to how they got in. Regards, Dan |
|
07-27-2004
|
|||
|
|||
|
Re: My apache is being hacked. :-(
Thanks for your comments Davide.
> > After getting the files uploaded they are able to execute them running as > > user wwwrun > > How? If they upload the files in /tmp, apache shouldn't be able to run > them in there, unless you have a really badly configured apache. What if they are in /var/tmp ? How do I check my apache confirguration? > Examining very carefully the log files, what they do and what they call. Could you suggest log files that I need to examine? I have been looking at /var/log/httpd/error_log Sorry, I am rather a newbie!! Dan |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 06:11 AM.
