You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Rob Tanner <rt...@linfield.edu> on 2005/03/04 03:27:20 UTC

[users@httpd] Possible apache security hole??

Hi,

We have an unknown assailant twice beak into our main webserver as the
apache user (the user the web server runs as) and each time he plated
files in /var/tmp and caused the whole system to hang (RH Linux).  I
don't know that he/she is coming in by taking advantage of an apache
bug or not, but here is the list of what's running in the server and
what I'm wondering is whether my problem sounds like a known issue with
any one of these packages/versions.  The hacker might, of course, be
getting in via some entirely unrelated mechanism.
 
Server: Apache/2.0.47 (Unix) mod_ssl/2.0.47 
OpenSSL/0.9.7a DAV/2 PHP/4.3.6 mod_jk/1.2.4

Thanks.

-- 
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible apache security hole??

Posted by Joshua Slive <js...@gmail.com>.

On Thu, 03 Mar 2005 18:27:20 -0800, Rob Tanner <rt...@linfield.edu> wrote:
> Hi,
> 
> We have an unknown assailant twice beak into our main webserver as the
> apache user (the user the web server runs as) and each time he plated
> files in /var/tmp and caused the whole system to hang (RH Linux).  I
> don't know that he/she is coming in by taking advantage of an apache
> bug or not, but here is the list of what's running in the server and
> what I'm wondering is whether my problem sounds like a known issue with
> any one of these packages/versions.  The hacker might, of course, be
> getting in via some entirely unrelated mechanism.
> 
> Server: Apache/2.0.47 (Unix) mod_ssl/2.0.47
> OpenSSL/0.9.7a DAV/2 PHP/4.3.6 mod_jk/1.2.4

Well, you are several versions behind on some of those components and
on Apache, so upgrading would definitely be a good idea.

But the most likely source of the problem is some insecure cgi script
or other script on your system.  Check all your scripts for security
problems.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible apache security hole??

Posted by Rob Tanner <rt...@linfield.edu>.

Bruce,

I checked, and you pretty much hit the nail right on the head.  I didn't want
to reply (at least not list-wide) until of webmaster got all the php cleaned
up and globals off.  Thanks.

-- Rob


--On Friday, March 04, 2005 01:39:51 PM -0300 "Ivan Barrera A."
<Br...@Ivn.cl> wrote:

>>> Server: Apache/2.0.47 (Unix) mod_ssl/2.0.47 OpenSSL/0.9.7a DAV/2 
>>> PHP/4.3.6 mod_jk/1.2.4
>>> 
>>> Thanks.
>>> 
>>>  
>>> 
>> I had a similar problem and was advised by someone (who knows a bit more 
>> than I do) that I should upgrade PHP. I now run PHP 5.0.3. Apparently 
>> there is a security issue with earlier PHP versions.
>> 
>> Gene
> 
> There are some flaws with older php versions, BUT upgrading doesnt
> guarantee that you'll be safe.
> I'm almost sure, you have some unsafe site on your webserver, which allows
> uploading files in an unsecure manner, and after that, passing some
> commands, is easy.
> This flaw is commonly used with sites that were programmed badly with
> register_globals = on, or doesn't check the input on includes with vars, o
> some other file functions.
> 
> look at your error log. If you see somehitng about wget, or files
> uploading, you were "hacked" using this way.
> 
> 
>> 
>> 
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>> 
>> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 



-- 
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible apache security hole??

Posted by "Ivan Barrera A." <Br...@Ivn.cl>.

>> Server: Apache/2.0.47 (Unix) mod_ssl/2.0.47 OpenSSL/0.9.7a DAV/2 
>> PHP/4.3.6 mod_jk/1.2.4
>>
>> Thanks.
>>
>>  
>>
> I had a similar problem and was advised by someone (who knows a bit more 
> than I do) that I should upgrade PHP. I now run PHP 5.0.3. Apparently 
> there is a security issue with earlier PHP versions.
> 
> Gene

There are some flaws with older php versions, BUT upgrading doesnt 
guarantee that you'll be safe.
I'm almost sure, you have some unsafe site on your webserver, which 
allows uploading files in an unsecure manner, and after that, passing 
some commands, is easy.
This flaw is commonly used with sites that were programmed badly with 
register_globals = on, or doesn't check the input on includes with vars, 
o some other file functions.

look at your error log. If you see somehitng about wget, or files 
uploading, you were "hacked" using this way.


> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Possible apache security hole??

Posted by Gene <li...@Bomgardner.net>.

Rob Tanner wrote:

>Hi,
>
>We have an unknown assailant twice beak into our main webserver as the
>apache user (the user the web server runs as) and each time he plated
>files in /var/tmp and caused the whole system to hang (RH Linux).  I
>don't know that he/she is coming in by taking advantage of an apache
>bug or not, but here is the list of what's running in the server and
>what I'm wondering is whether my problem sounds like a known issue with
>any one of these packages/versions.  The hacker might, of course, be
>getting in via some entirely unrelated mechanism.
> 
>Server: Apache/2.0.47 (Unix) mod_ssl/2.0.47 
>OpenSSL/0.9.7a DAV/2 PHP/4.3.6 mod_jk/1.2.4
>
>Thanks.
>
>  
>
I had a similar problem and was advised by someone (who knows a bit more 
than I do) that I should upgrade PHP. I now run PHP 5.0.3. Apparently 
there is a security issue with earlier PHP versions.

Gene


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org