Re: [Apache-FP] web server hacked

Joshua Levitsky Mon, 23 Aug 2004 10:15:56 -0700

I would suggest running these...

http://www.chkrootkit.org/

http://www.rootkit.nl/

I like the Rootkit Hunter (the 2nd link)... I contributed a rootkit to his project that I found on a compromised box.

The point of entry for that rootkit might not have been apache. It could have been anything. You said RH 9 is on his box. Is he keeping up with security updates on his own or using one of the legacy places that still provide RH 9 RPMS? If you send me the files in tmp to [EMAIL PROTECTED] I can see if I can find out more. I haven't seen that rootkit so far as I know, but sometimes the file names won't give anything away because people rename things.

--
Joshua Levitsky, MCSE, CISSP
System Engineer
http://www.foist.org/
[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]

----- Original Message ----- From: "LaRoy McCann" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 23, 2004 12:45 PM Subject: [Apache-FP] web server hacked

I have a buddy that is running RH9.0 with Apache 2.0.40 with FP extentions.

His web server got hacked into.  They replaced the index page.
They had their name of "Total Cha0s" on the index page.

Anyone know of a bug in apache that will allow this?

Here is a listing of the files they placed in the tmp dir.

[EMAIL PROTECTED] tmp]# ll
total 488
-rw-r--r--  1 apache apache    757 Aug 22 00:20 dc.pl
-rwxrwxrwx  1 apache apache  19242 Aug 18 14:38 r0nin
-rw-------  1 apache apache     93 Aug 17 08:29
sess_bd2f85b4f15f7471f989baa66cdc2cbb
-rwxrwxrwx  1 apache apache      0 Aug 21 15:31 xiit
-rwxr-xr-x  1 apache apache 463529 Aug 22 00:21 xpl_brk

--------------------------------------------------------------------------------


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.740 / Virus Database: 494 - Release Date: 8/16/2004

--------------------------------------------------------------------------------

_______________________________________________
Apache-FP mailing list
[EMAIL PROTECTED]
http://lists.joshie.com/mailman/listinfo/apache-fp

Donations:
http://www.amazon.com/paypage/PT5LZITM9L227

_______________________________________________
Apache-FP mailing list
[EMAIL PROTECTED]
http://lists.joshie.com/mailman/listinfo/apache-fp

Donations: http://www.amazon.com/paypage/PT5LZITM9L227

Re: [Apache-FP] web server hacked

Reply via email to