Gentoo Archives: gentoo-security

From: "Matthias F. Brandstetter" <haimat@××××.at>
To: gentoo-security@l.g.o
Subject: [gentoo-security] hacked via Apache/PHP/CGI/...?
Date: Tue, 03 Feb 2004 01:32:32
Message-Id: 200402030206.31084.haimat@lame.at
Hi all security gurus,

recently I had a sec. issue with an Apache install. This box is hosting 
several virtual domains, one was hacked last night :(

I found this in my apache-error:

===<snip>========================================================
sh: line 1: cd: conf: No such file or directory
sh: line 1: cd: conf: No such file or directory
sh: line 1: cd: conf: No such file or directory
sh: line 1: cd: conf: No such file or directory
sh: line 1: work.txt: Permission denied
cat: /tmp/cmdtemp: No such file or directory
rm: cannot remove `/tmp/cmdtemp': No such file or directory
--00:11:27--  http://www.massdesign.hpg.com.br/index/index2.htt
           => `index2.htt'
Resolving www.massdesign.hpg.com.br... done.
Connecting to www.massdesign.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.massdesign.hpg.ig.com.br/index/index2.htt [following]
--00:11:28--  http://www.massdesign.hpg.ig.com.br/index/index2.htt
           => `index2.htt'
Resolving www.massdesign.hpg.ig.com.br... done.
Connecting to www.massdesign.hpg.ig.com.br[200.226.137.10]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 871 [text/plain]

    0K                                                       100%  850.59 
KB/s

00:11:29 (850.59 KB/s) - `index2.htt' saved [871/871]
===</snip>========================================================

Then some more wgets and this line:

===<snip>========================================================
[Mon Feb  2 00:42:39 2004] [error] [client 201.4.61.139] request failed: 
erroneous characters after protocol string: HEAD / HTTP\\1.0
===</snip>========================================================

I had to manually restart the webserver this morning, but now I get some of 
those:

===<snip>========================================================
[Mon Feb  2 13:54:48 2004] [notice] child pid 151 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:55:13 2004] [notice] child pid 155 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:56:09 2004] [notice] child pid 152 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:56:36 2004] [notice] child pid 2321 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:58:10 2004] [notice] child pid 2391 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:58:46 2004] [notice] child pid 107 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:59:07 2004] [notice] child pid 2358 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:59:08 2004] [notice] child pid 106 exit signal Segmentation 
fault (11)
[Mon Feb  2 14:00:04 2004] [notice] child pid 104 exit signal Segmentation 
fault (11)
[Mon Feb  2 14:00:43 2004] [notice] child pid 154 exit signal Segmentation 
fault (11)
[Mon Feb  2 14:01:06 2004] [notice] child pid 105 exit signal Segmentation 
fault (11)
===</snip>========================================================

... and more and more ...

Until I can update the webserver, I need to know 3 things:
1.) how could this guy(s) could get access to this machine,
2.) how can one get shell access after exploitng Apache, and
3.) how to prevent similar attacks in the future?

ANY hints, tips, links and suggestions are welcome!
Greetings and TIA, Matthias

-- 
Man:	You must be stupider than you look.

Homer:	Stupider like a fix!

		   Lemon of Troy


--
gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] hacked via Apache/PHP/CGI/...? Ned Ludd <solar@g.o>