Re: [PHP] Hack on Server.
Hi! Not sure if it the same one, there's a new IIS exploit that'll change the main page.but only in memory. It's known as Code Red Worm at the cert.org site. I noticed it after I had lots of weird requests in my httpd logs for about 8 hours last night (+800) which I thought was a buffer overflow attempt Check the url for more info http://www.cert.org/advisories/CA-2001-19.html Hak Beng At 04:59 20/07/2001, I noticed a mail from Jean-Francois Jauvin: >Hi, my server with php on it has been "hacked" or something., what >appened is every PHP pages displayed a certain message like "Hacked by blah >blah blah...". >None of the HTML pages were affected, only the PHP ones >but the scripts were not altered, I've shut down IIS, reinstalled PHP, and >everything is back to normal... kinda strange. >Did anyone had a similar problem... > >Thanks > >JF > > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Hack on Server.
I know this post is old by the list standards, so I don't know if you've gotten help, check in your php.ini for these lines ; automatically add files before or after any PHP document auto_prepend_file = auto_append_file= Does the auto_prepend_file line have something? If so check that out cause he could just have echo "Hacked by mE!!! bWAAHAHAHA"; die(); Which would make all your php scripts useless. I know you said you reinstalled php but did you just use the same ini file? On a side note, I'd recommend getting a linux webserver or at least running the windows version of apache. IIS's security is flawed as I'm sure you've seen or already known. I realize sometimes thats not possible, my boss told me last week he wants our server to be IIS by the end of August. Sometimes management just makes bad decisions. -Justin -Original Message- From: "Jean-Francois Jauvin" <[EMAIL PROTECTED]> Sent: Thursday, July 19, 2001 3:59 PM To: [EMAIL PROTECTED] Subject: [PHP] Hack on Server. Hi, my server with php on it has been "hacked" or something., what appened is every PHP pages displayed a certain message like "Hacked by blah blah blah...". None of the HTML pages were affected, only the PHP ones but the scripts were not altered, I've shut down IIS, reinstalled PHP, and everything is back to normal... kinda strange. Did anyone had a similar problem... Thanks JF -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Hack on Server.
Must of been some ome hacker to find an httpd.conf on an IIS server :) On Fri, Jul 20, 2001 at 10:12:25AM +1000, Brian White wrote: > Maybe the hacker got into the httpd.conf and set the auto-prepend setting > to a file that contained the message. > > Brian > > At 00:34 20/07/2001 +0300, [EMAIL PROTECTED] wrote: > >Hi Jean-Francois! > >On Thu, 19 Jul 2001, Jean-Francois Jauvin wrote: > > > > > Hi, my server with php on it has been "hacked" or something., what > > > appened is every PHP pages displayed a certain message like "Hacked by blah > > > blah blah...". > > > None of the HTML pages were affected, only the PHP ones > > > but the scripts were not altered, I've shut down IIS, reinstalled PHP, and > >Ah, IIS, the magic word. > > > >Maybe you have been hacked by the Bady worm, I saw it in action in the > >test lab :) > > > >-- teodor > > > >-- > >PHP General Mailing List (http://www.php.net/) > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > >To contact the list administrators, e-mail: [EMAIL PROTECTED] > > - > Brian White > Step Two Designs Pty Ltd - SGML, XML & HTML Consultancy > Phone: +612-93197901 > Web: http://www.steptwo.com.au/ > Email: [EMAIL PROTECTED] > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Jeff Bearer, RHCE Webmaster PittsburghLIVE.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Hack on Server.
I think the following link might shed some more light on the situation: http://news.cnet.com/news/0-1003-200-6604515.html HTH Sam Masiello Software Quality Assurance Engineer Synacor (716) 853-1362 x289 [EMAIL PROTECTED] On Fri, 20 Jul 2001 10:12:25 +1000 Brian White <[EMAIL PROTECTED]> wrote: >Maybe the hacker got into the httpd.conf and set the auto-prepend setting >to a file that contained the message. > >Brian > >At 00:34 20/07/2001 +0300, [EMAIL PROTECTED] wrote: >>Hi Jean-Francois! >>On Thu, 19 Jul 2001, Jean-Francois Jauvin wrote: >> >> > Hi, my server with php on it has been "hacked" or something., what >> > appened is every PHP pages displayed a certain message like "Hacked by blah >> > blah blah...". >> > None of the HTML pages were affected, only the PHP ones >> > but the scripts were not altered, I've shut down IIS, reinstalled PHP, and >>Ah, IIS, the magic word. >> >>Maybe you have been hacked by the Bady worm, I saw it in action in the >>test lab :) >> >>-- teodor >> >>-- >>PHP General Mailing List (http://www.php.net/) >>To unsubscribe, e-mail: [EMAIL PROTECTED] >>For additional commands, e-mail: [EMAIL PROTECTED] >>To contact the list administrators, e-mail: [EMAIL PROTECTED] > >- >Brian White >Step Two Designs Pty Ltd - SGML, XML & HTML Consultancy >Phone: +612-93197901 >Web: http://www.steptwo.com.au/ >Email: [EMAIL PROTECTED] > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Hack on Server.
Maybe the hacker got into the httpd.conf and set the auto-prepend setting to a file that contained the message. Brian At 00:34 20/07/2001 +0300, [EMAIL PROTECTED] wrote: >Hi Jean-Francois! >On Thu, 19 Jul 2001, Jean-Francois Jauvin wrote: > > > Hi, my server with php on it has been "hacked" or something., what > > appened is every PHP pages displayed a certain message like "Hacked by blah > > blah blah...". > > None of the HTML pages were affected, only the PHP ones > > but the scripts were not altered, I've shut down IIS, reinstalled PHP, and >Ah, IIS, the magic word. > >Maybe you have been hacked by the Bady worm, I saw it in action in the >test lab :) > >-- teodor > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >To contact the list administrators, e-mail: [EMAIL PROTECTED] - Brian White Step Two Designs Pty Ltd - SGML, XML & HTML Consultancy Phone: +612-93197901 Web: http://www.steptwo.com.au/ Email: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Hack on Server.
Hi Jean-Francois! On Thu, 19 Jul 2001, Jean-Francois Jauvin wrote: > Hi, my server with php on it has been "hacked" or something., what > appened is every PHP pages displayed a certain message like "Hacked by blah > blah blah...". > None of the HTML pages were affected, only the PHP ones > but the scripts were not altered, I've shut down IIS, reinstalled PHP, and Ah, IIS, the magic word. Maybe you have been hacked by the Bady worm, I saw it in action in the test lab :) -- teodor -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]