Gentoo Archives: gentoo-security

From: "Matthias F. Brandstetter" <haimat@××××.at>
To: gentoo-security@l.g.o
Subject: [gentoo-security] hacked via Apache/PHP/CGI/...?
Date: Tue, 03 Feb 2004 01:32:32
Message-Id: 200402030206.31084.haimat@lame.at
1 Hi all security gurus,
2
3 recently I had a sec. issue with an Apache install. This box is hosting
4 several virtual domains, one was hacked last night :(
5
6 I found this in my apache-error:
7
8 ===<snip>========================================================
9 sh: line 1: cd: conf: No such file or directory
10 sh: line 1: cd: conf: No such file or directory
11 sh: line 1: cd: conf: No such file or directory
12 sh: line 1: cd: conf: No such file or directory
13 sh: line 1: work.txt: Permission denied
14 cat: /tmp/cmdtemp: No such file or directory
15 rm: cannot remove `/tmp/cmdtemp': No such file or directory
16 --00:11:27-- http://www.massdesign.hpg.com.br/index/index2.htt
17 => `index2.htt'
18 Resolving www.massdesign.hpg.com.br... done.
19 Connecting to www.massdesign.hpg.com.br[200.226.137.9]:80... connected.
20 HTTP request sent, awaiting response... 302 Found
21 Location: http://www.massdesign.hpg.ig.com.br/index/index2.htt [following]
22 --00:11:28-- http://www.massdesign.hpg.ig.com.br/index/index2.htt
23 => `index2.htt'
24 Resolving www.massdesign.hpg.ig.com.br... done.
25 Connecting to www.massdesign.hpg.ig.com.br[200.226.137.10]:80... connected.
26 HTTP request sent, awaiting response... 200 OK
27 Length: 871 [text/plain]
28
29 0K 100% 850.59
30 KB/s
31
32 00:11:29 (850.59 KB/s) - `index2.htt' saved [871/871]
33 ===</snip>========================================================
34
35 Then some more wgets and this line:
36
37 ===<snip>========================================================
38 [Mon Feb 2 00:42:39 2004] [error] [client 201.4.61.139] request failed:
39 erroneous characters after protocol string: HEAD / HTTP\\1.0
40 ===</snip>========================================================
41
42 I had to manually restart the webserver this morning, but now I get some of
43 those:
44
45 ===<snip>========================================================
46 [Mon Feb 2 13:54:48 2004] [notice] child pid 151 exit signal Segmentation
47 fault (11)
48 [Mon Feb 2 13:55:13 2004] [notice] child pid 155 exit signal Segmentation
49 fault (11)
50 [Mon Feb 2 13:56:09 2004] [notice] child pid 152 exit signal Segmentation
51 fault (11)
52 [Mon Feb 2 13:56:36 2004] [notice] child pid 2321 exit signal Segmentation
53 fault (11)
54 [Mon Feb 2 13:58:10 2004] [notice] child pid 2391 exit signal Segmentation
55 fault (11)
56 [Mon Feb 2 13:58:46 2004] [notice] child pid 107 exit signal Segmentation
57 fault (11)
58 [Mon Feb 2 13:59:07 2004] [notice] child pid 2358 exit signal Segmentation
59 fault (11)
60 [Mon Feb 2 13:59:08 2004] [notice] child pid 106 exit signal Segmentation
61 fault (11)
62 [Mon Feb 2 14:00:04 2004] [notice] child pid 104 exit signal Segmentation
63 fault (11)
64 [Mon Feb 2 14:00:43 2004] [notice] child pid 154 exit signal Segmentation
65 fault (11)
66 [Mon Feb 2 14:01:06 2004] [notice] child pid 105 exit signal Segmentation
67 fault (11)
68 ===</snip>========================================================
69
70 ... and more and more ...
71
72 Until I can update the webserver, I need to know 3 things:
73 1.) how could this guy(s) could get access to this machine,
74 2.) how can one get shell access after exploitng Apache, and
75 3.) how to prevent similar attacks in the future?
76
77 ANY hints, tips, links and suggestions are welcome!
78 Greetings and TIA, Matthias
79
80 --
81 Man: You must be stupider than you look.
82
83 Homer: Stupider like a fix!
84
85 Lemon of Troy
86
87
88 --
89 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] hacked via Apache/PHP/CGI/...? Ned Ludd <solar@g.o>