Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "Matthias F. Brandstetter" <haimat@...>
Subject: hacked via Apache/PHP/CGI/...?
Date: Tue, 3 Feb 2004 02:06:31 +0100
Hi all security gurus,

recently I had a sec. issue with an Apache install. This box is hosting 
several virtual domains, one was hacked last night :(

I found this in my apache-error:

===<snip>========================================================
sh: line 1: cd: conf: No such file or directory
sh: line 1: cd: conf: No such file or directory
sh: line 1: cd: conf: No such file or directory
sh: line 1: cd: conf: No such file or directory
sh: line 1: work.txt: Permission denied
cat: /tmp/cmdtemp: No such file or directory
rm: cannot remove `/tmp/cmdtemp': No such file or directory
--00:11:27--  http://www.massdesign.hpg.com.br/index/index2.htt
           => `index2.htt'
Resolving www.massdesign.hpg.com.br... done.
Connecting to www.massdesign.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.massdesign.hpg.ig.com.br/index/index2.htt [following]
--00:11:28--  http://www.massdesign.hpg.ig.com.br/index/index2.htt
           => `index2.htt'
Resolving www.massdesign.hpg.ig.com.br... done.
Connecting to www.massdesign.hpg.ig.com.br[200.226.137.10]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 871 [text/plain]

    0K                                                       100%  850.59 
KB/s

00:11:29 (850.59 KB/s) - `index2.htt' saved [871/871]
===</snip>========================================================

Then some more wgets and this line:

===<snip>========================================================
[Mon Feb  2 00:42:39 2004] [error] [client 201.4.61.139] request failed: 
erroneous characters after protocol string: HEAD / HTTP\\1.0
===</snip>========================================================

I had to manually restart the webserver this morning, but now I get some of 
those:

===<snip>========================================================
[Mon Feb  2 13:54:48 2004] [notice] child pid 151 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:55:13 2004] [notice] child pid 155 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:56:09 2004] [notice] child pid 152 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:56:36 2004] [notice] child pid 2321 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:58:10 2004] [notice] child pid 2391 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:58:46 2004] [notice] child pid 107 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:59:07 2004] [notice] child pid 2358 exit signal Segmentation 
fault (11)
[Mon Feb  2 13:59:08 2004] [notice] child pid 106 exit signal Segmentation 
fault (11)
[Mon Feb  2 14:00:04 2004] [notice] child pid 104 exit signal Segmentation 
fault (11)
[Mon Feb  2 14:00:43 2004] [notice] child pid 154 exit signal Segmentation 
fault (11)
[Mon Feb  2 14:01:06 2004] [notice] child pid 105 exit signal Segmentation 
fault (11)
===</snip>========================================================

... and more and more ...

Until I can update the webserver, I need to know 3 things:
1.) how could this guy(s) could get access to this machine,
2.) how can one get shell access after exploitng Apache, and
3.) how to prevent similar attacks in the future?

ANY hints, tips, links and suggestions are welcome!
Greetings and TIA, Matthias

-- 
Man:	You must be stupider than you look.

Homer:	Stupider like a fix!

		   Lemon of Troy


--
gentoo-security@g.o mailing list

Replies:
Re: hacked via Apache/PHP/CGI/...?
-- Ned Ludd
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
grsecurity + usermode Linux + skas ?
Next by thread:
Re: hacked via Apache/PHP/CGI/...?
Previous by date:
Re: Security without obscurity
Next by date:
Re: hacked via Apache/PHP/CGI/...?


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.