You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Francisco Hidalgo Solá <fh...@yahoo.com.ar> on 2005/03/15 14:41:57 UTC
[users@httpd] I've been hacked, I need some help please...
Hi, my apache web server has been hacked and they got
root access, this is my major concern.
I have apache-2.0.52 and all my main pages were
changed to a HTML message written in WORD!!! (that for
sure says it was a script kiddie)
I think they got root access since all my log
directory is gone and they rewrote all index.* files
from all my filesystem directories with their own
message, I've found two process running under the user
"apache", they are "r0nin" and "brk".
The "who" command shows nothing, so it seems it was
changed. I've found some info on "r0nin" exploit but
nothing on "brk", both files are in /var/tmp. There
are also other files in /var/tmp, they are "dc"
(executable), b.tgz and edy.tgz.
As I said before, my major concern is root access. I'm
almost sure they got in with an insecure PHP script,
but as I see it (I could be wrong), this shouldn't be
a major problem, that can run scripts with the
unprivileged account "apache" but thats all,
nonetheless they got root access from that
unprivileged account.
Any ideas?, I don't know what to do. I've read that
the r0nin script opens a telnet session in port 1666,
but this cant be the problem, since this port is
blocked by the firewall and they would get an
unprivileged telnet access anyway, right?, I didn't
find any info about the other scrips, I still have
them there if you need any other info.
Thank you very much.
Francisco
___________________________________________________________
250MB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] I've been hacked, I need some help please...
Posted by Muhammad Rizwan <ri...@nixpanel.com>.
Are you using any hosting control panel?
On Tue, 2005-03-15 at 18:41, Francisco Hidalgo Solá wrote:
> Hi, my apache web server has been hacked and they got
> root access, this is my major concern.
>
> I have apache-2.0.52 and all my main pages were
> changed to a HTML message written in WORD!!! (that for
> sure says it was a script kiddie)
> I think they got root access since all my log
> directory is gone and they rewrote all index.* files
> from all my filesystem directories with their own
> message, I've found two process running under the user
> "apache", they are "r0nin" and "brk".
> The "who" command shows nothing, so it seems it was
> changed. I've found some info on "r0nin" exploit but
> nothing on "brk", both files are in /var/tmp. There
> are also other files in /var/tmp, they are "dc"
> (executable), b.tgz and edy.tgz.
> As I said before, my major concern is root access. I'm
> almost sure they got in with an insecure PHP script,
> but as I see it (I could be wrong), this shouldn't be
> a major problem, that can run scripts with the
> unprivileged account "apache" but thats all,
> nonetheless they got root access from that
> unprivileged account.
> Any ideas?, I don't know what to do. I've read that
> the r0nin script opens a telnet session in port 1666,
> but this cant be the problem, since this port is
> blocked by the firewall and they would get an
> unprivileged telnet access anyway, right?, I didn't
> find any info about the other scrips, I still have
> them there if you need any other info.
> Thank you very much.
>
> Francisco
>
>
>
>
>
>
> ___________________________________________________________
> 250MB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> http://correo.yahoo.com.ar
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] I've been hacked, I need some help please...
Posted by Dennis Speekenbrink <d....@silverstreak.nl>.
Hi,
Please keep in mind that I'm not a security expert.
Something about this says that they did not get root access to the machine.
Are you absolutely sure that "root-only" files we're changed?
Reasons for my thinking are:
The rogue processes are running under the Apache user (why not root?)
You can still log in. (usually root-exploits change the root password
first thing, sadly speaking from my own experience)
The rogue processes are located in /tmp which is world-writeable.
If access was gained through Apache, and it was indeed running as an
un-priviledged user, then they would need a second exploit to raise
their access level to root. By default a security breach in apache
should only compromise anything that Apache can touch.
On the other hand:
If you're logged in and the 'who' command shows absolutely nobody, then
it is obviously at fault.
If non-writeable files we're modified then an Apache / php exploit alone
couldn't have done it.
If system logs we're deleted that is almost certainly an indicator of a
root-exploit.
If you conclude that root-access was indeed gained, then the machine
must be considered lost.
Do not try to repair it, as you can never be sure you removed all traces
of the attacker.
If you assume that it was only a apache / php exploit then repair is
possible but a reinstall might be safer.
Good luck!
Dennis
p.s. if you have an off-site backup or remote logging try comparing data
to see what has changed.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re[2]: [users@httpd] I've been hacked, I need some help please...
Posted by John <is...@cc.uoi.gr>.
From: herbs <he...@gmx.net>
To: users@httpd.apache.org
Date: Wednesday, March 16, 2005, 12:42:58 PM
Subject: [users@httpd] I've been hacked, I need some help please...
Wednesday, March 16, 2005, 12:42:58 PM, you wrote:
> Hi Francisco,
> I use for quite a while the rootkit hunter. GPL from
> http://www.rootkit.nl/
> A great program - it checks for rootkits, backdoors and other
> traces what a hacker leaves on your server if he intends to come
> back..
> Cheers
> herbs
> () ASCII Ribbon Campaign - against html/rtf/vCard in mail
> /\ - against M$ attachments
Well does rkhunter searches for apache version in chroot ?
I mean that you have copied all the apache related files, libraries
in the chroot jail, so does rkhunter check for that probability?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] I've been hacked, I need some help please...
Posted by herbs <he...@gmx.net>.
Hi Francisco,
I use for quite a while the rootkit hunter. GPL from
http://www.rootkit.nl/
A great program - it checks for rootkits, backdoors and other traces what a hacker leaves on your server if he intends to come back..
Cheers
herbs
() ASCII Ribbon Campaign - against html/rtf/vCard in mail
/\ - against M$ attachments
On Tue, 15 Mar 2005 10:41:57 -0300 (ART)
Francisco Hidalgo Solá <fh...@yahoo.com.ar> wrote:
> Hi, my apache web server has been hacked and they got
> root access, this is my major concern.
>
> I have apache-2.0.52 and all my main pages were
> changed to a HTML message written in WORD!!! (that for
> sure says it was a script kiddie)
> I think they got root access since all my log
> directory is gone and they rewrote all index.* files
> from all my filesystem directories with their own
> message, I've found two process running under the user
> "apache", they are "r0nin" and "brk".
> The "who" command shows nothing, so it seems it was
> changed. I've found some info on "r0nin" exploit but
> nothing on "brk", both files are in /var/tmp. There
> are also other files in /var/tmp, they are "dc"
> (executable), b.tgz and edy.tgz.
> As I said before, my major concern is root access. I'm
> almost sure they got in with an insecure PHP script,
> but as I see it (I could be wrong), this shouldn't be
> a major problem, that can run scripts with the
> unprivileged account "apache" but thats all,
> nonetheless they got root access from that
> unprivileged account.
> Any ideas?, I don't know what to do. I've read that
> the r0nin script opens a telnet session in port 1666,
> but this cant be the problem, since this port is
> blocked by the firewall and they would get an
> unprivileged telnet access anyway, right?, I didn't
> find any info about the other scrips, I still have
> them there if you need any other info.
> Thank you very much.
>
> Francisco
>
>
>
>
>
>
> ___________________________________________________________
> 250MB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> http://correo.yahoo.com.ar
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] I've been hacked, I need some help please...
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
> I have apache-2.0.52 and all my main pages were
> changed to a HTML message written in WORD!!! (that for
> sure says it was a script kiddie)
> I think they got root access since all my log
> directory is gone and they rewrote all index.* files
> from all my filesystem directories with their own
> message, I've found two process running under the user
> "apache", they are "r0nin" and "brk".
I see this all the time
You are right, you were hacked with an insecure php script. And probably
with an insecure version of phpBB.
> The "who" command shows nothing, so it seems it was
> changed. I've found some info on "r0nin" exploit but
> nothing on "brk", both files are in /var/tmp. There
> are also other files in /var/tmp, they are "dc"
> (executable), b.tgz and edy.tgz.
> As I said before, my major concern is root access. I'm
> almost sure they got in with an insecure PHP script,
> but as I see it (I could be wrong), this shouldn't be
> a major problem, that can run scripts with the
> unprivileged account "apache" but thats all,
> nonetheless they got root access from that
> unprivileged account.
If you have and outdates/unpatched kernel, you can fire up some race
conditions and get root easily with an unprivileged account.
> Any ideas?, I don't know what to do. I've read that
> the r0nin script opens a telnet session in port 1666,
> but this cant be the problem, since this port is
> blocked by the firewall and they would get an
> unprivileged telnet access anyway, right?, I didn't
> find any info about the other scrips, I still have
> them there if you need any other info.
> Thank you very much.
MMh...
Start with bloking incoming connections. Remove those scripts, point
your temp dirs to one with noexec propierties (sometimes those damn
kiddiez uses /dev/shm, so put it as noexec sometimes works), you will
have to search all over your system for modified files (using
redhat/fedora is simple, running rpm -VVV for each pkg).
The best, is to start with a clean system, running all the security you
can. SELinux is good although kinda hard. mod_security, use chrooted
environment, etc...
>
> Francisco
>
>
>
>
>
>
> ___________________________________________________________
> 250MB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> http://correo.yahoo.com.ar
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org