You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joe <jo...@idiglobal.com> on 2002/02/28 18:57:06 UTC
Apache exploit
Our apache server was hacked into last night and our index.html file replaced
with a index.html file with a link to russiahack.com.
We are running ver 1.3.17 with
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_access.c
mod_auth.c
mod_setenvif.c
mod_ssl.c
mod_php4.c
This is the error log
[Thu Feb 28 07:30:38 2002] [error] [client 212.7.9.35] File does not exist:
/home/www/docroot/idiglobal/|ls
[Thu Feb 28 07:30:39 2002] [error] [client 212.7.9.35] File does not exist:
/home/www/docroot/idiglobal/ls
[Thu Feb 28 07:30:39 2002] [error] [client 212.7.9.35] File does not exist:
/home/www/docroot/idiglobal/ls|
[Thu Feb 28 07:30:54 2002] [error] [client 212.7.9.35] File does not exist:
/home/www/docroot/idiglobal/index.plls
[Thu Feb 28 07:30:56 2002] [error] [client 212.7.9.35] File does not exist:
/home/www/docroot/idiglobal/images/b_client-end.gif
[Thu Feb 28 07:31:01 2002] [error] [client 212.7.9.35] File does not exist:
/home/www/docroot/idiglobal/index.pl|ls
[Thu Feb 28 07:31:05 2002] [error] [client 212.7.9.35] File does not exist:
/home/www/docroot/idiglobal/images/b_client-end.gif
[Thu Feb 28 07:31:05 2002] [error] [client 212.7.9.35] File does not exist:
/home/www/docroot/idiglobal/index.pl;ls
[Thu Feb 28 07:37:14 2002] [error] [client 212.7.9.35] unknown directive
"###########################################################################"
in parsed doc /home/www/docroot/idiglobal/index.html
Anyone else seen this before??
Thanks,
Joe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache exploit
Posted by Bill -OSX- Jones <sn...@mac.com>.
Pls note -
On Thursday, February 28, 2002, at 01:05 PM, Bill -OSX- Jones wrote:
> Hmmm ... since you've removed the actual 'hack' I can start
> jumping to conclusions... You have SSI enabled and possibly are
> badly handling CGI code?
>
That reads as Server Side Includes, not Secure Socket Layer.
JIC;
_Sx____________________
('> -Sx- IUDICIUM
//\ Have Computer -
v_/_ Will Hack...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache exploit
Posted by Bill -OSX- Jones <sn...@mac.com>.
Not really Apache's fault in this case - Appears they tried known
shell attacks.
On Thursday, February 28, 2002, at 12:57 PM, Joe wrote:
> /home/www/docroot/idiglobal/|ls
> /home/www/docroot/idiglobal/ls
> /home/www/docroot/idiglobal/ls|
> /home/www/docroot/idiglobal/index.plls
> /home/www/docroot/idiglobal/index.pl|ls
> /home/www/docroot/idiglobal/index.pl;ls
> [Thu Feb 28 07:37:14 2002] [error] [client 212.7.9.35] unknown
> directive
> "########################################################################
> ###"
> in parsed doc /home/www/docroot/idiglobal/index.html
>
Hmmm ... since you've removed the actual 'hack' I can start jumping
to conclusions... You have SSI enabled and possibly are badly
handling CGI code?
Are you trusting user supplied vars?
_Sx____________________
('> -Sx- IUDICIUM
//\ Have Computer -
v_/_ Will Hack...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org