Gentoo Archives: gentoo-security

From: Ned Ludd <solar@g.o>
To: "Matthias F. Brandstetter" <haimat@××××.at>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] hacked via Apache/PHP/CGI/...?
Date: Tue, 03 Feb 2004 03:29:10
Message-Id: 1075777408.31687.524.camel@simple
In Reply to: [gentoo-security] hacked via Apache/PHP/CGI/...? by "Matthias F. Brandstetter"
On Mon, 2004-02-02 at 20:06, Matthias F. Brandstetter wrote:
> Hi all security gurus, > > recently I had a sec. issue with an Apache install. This box is hosting > several virtual domains, one was hacked last night :(
> > Until I can update the webserver, I need to know 3 things:
You really should not wait on getting this thing updated. And in reality you should also halted this box now and a dd backup should be made for later examination. If you need to look around poke around at all it should all be done while the disk is mounted read-only.
> 1.) how could this guy(s) could get access to this machine,
(this guy could be a worm)
> 2.) how can one get shell access after exploitng Apache, and
It depends on the attack vector that was used. Without knowing versions of anything here it's hard to answer this question. See #3
> 3.) how to prevent similar attacks in the future?
For a second lets assume it was the this arbitrary code execution via the stack or heap. If that the case then your going to want something like PaX && || Grsec. depending on your needs. & Note: PaX is included with grsecurity
> > ANY hints, tips, links and suggestions are welcome! > Greetings and TIA, Matthias
-- Ned Ludd <solar@g.o> Gentoo Linux Developer


File name MIME type
signature.asc application/pgp-signature