Apache exploit

[Joe <jo...@idiglobal.com>]

Our apache server was hacked into last night and our index.html file replaced 
with a index.html file with a link to russiahack.com. 
We are running  ver 1.3.17 with 
 http_core.c
  mod_env.c
  mod_log_config.c
  mod_mime.c
  mod_negotiation.c
  mod_status.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_asis.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_access.c
  mod_auth.c
  mod_setenvif.c
  mod_ssl.c
  mod_php4.c

This is the error log 
[Thu Feb 28 07:30:38 2002] [error] [client 212.7.9.35] File does not exist: 
/home/www/docroot/idiglobal/|ls
[Thu Feb 28 07:30:39 2002] [error] [client 212.7.9.35] File does not exist: 
/home/www/docroot/idiglobal/ls
[Thu Feb 28 07:30:39 2002] [error] [client 212.7.9.35] File does not exist: 
/home/www/docroot/idiglobal/ls|
[Thu Feb 28 07:30:54 2002] [error] [client 212.7.9.35] File does not exist: 
/home/www/docroot/idiglobal/index.plls
[Thu Feb 28 07:30:56 2002] [error] [client 212.7.9.35] File does not exist: 
/home/www/docroot/idiglobal/images/b_client-end.gif
[Thu Feb 28 07:31:01 2002] [error] [client 212.7.9.35] File does not exist: 
/home/www/docroot/idiglobal/index.pl|ls
[Thu Feb 28 07:31:05 2002] [error] [client 212.7.9.35] File does not exist: 
/home/www/docroot/idiglobal/images/b_client-end.gif
[Thu Feb 28 07:31:05 2002] [error] [client 212.7.9.35] File does not exist: 
/home/www/docroot/idiglobal/index.pl;ls
[Thu Feb 28 07:37:14 2002] [error] [client 212.7.9.35] unknown directive 
"###########################################################################" 
in parsed doc /home/www/docroot/idiglobal/index.html

Anyone else seen this before??

Thanks,

Joe



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache exploit

[Bill -OSX- Jones <sn...@mac.com>]

Pls note -


On Thursday, February 28, 2002, at 01:05  PM, Bill -OSX- Jones wrote:

> Hmmm ... since you've removed the actual 'hack' I can start 
> jumping to conclusions... You have SSI enabled and possibly are 
> badly handling CGI code?
>

That reads as Server Side Includes, not Secure Socket Layer.

	JIC;
_Sx____________________
  ('>    -Sx- IUDICIUM
  //\   Have Computer -
  v_/_    Will Hack...


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Apache exploit

[Bill -OSX- Jones <sn...@mac.com>]

Not really Apache's fault in this case - Appears they tried known 
shell attacks.

On Thursday, February 28, 2002, at 12:57  PM, Joe wrote:

> /home/www/docroot/idiglobal/|ls
> /home/www/docroot/idiglobal/ls
> /home/www/docroot/idiglobal/ls|
> /home/www/docroot/idiglobal/index.plls
> /home/www/docroot/idiglobal/index.pl|ls
> /home/www/docroot/idiglobal/index.pl;ls
> [Thu Feb 28 07:37:14 2002] [error] [client 212.7.9.35] unknown 
> directive
> "########################################################################
> ###"
> in parsed doc /home/www/docroot/idiglobal/index.html
>


Hmmm ... since you've removed the actual 'hack' I can start jumping 
to conclusions... You have SSI enabled and possibly are badly 
handling CGI code?

Are you trusting user supplied vars?
_Sx____________________
  ('>    -Sx- IUDICIUM
  //\   Have Computer -
  v_/_    Will Hack...


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org