Complete.Org: Mailing Lists: Archives: discussion: October 2005:
[aclug-L] Re: Problems
Home

[aclug-L] Re: Problems

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: discussion@xxxxxxxxx
Subject: [aclug-L] Re: Problems
From: Steven Saner <ssaner@xxxxxxxxxxxxxxx>
Date: Fri, 21 Oct 2005 13:06:42 -0500
Reply-to: discussion@xxxxxxxxx

On Fri, Oct 21, 2005 at 11:09:18AM -0500, Dale W Hodge wrote:
> Hello guys! I've got some problems and I'm looking for advice in how to
> deal with them. 
> 
> Sometime in the past few days, somebody exploited a weakness in my web
> server, overwrote the index.html files on all my domains. About the same
> time, it appears they appear to have utilized the mailer capabilites of
> the webserver to mail out in excess of 10,000 pieces of spam! It was
> when the bounce messages started flooding my mailbox that I realized I
> had a problem.  There's no evidence that anyone gained root access, it
> looks like it was just a webserver exploit. 
> 
> The question is how best to secure the server and prevent this from
> happening again. I'm not sure just what they exploited, whether it was
> in apache itself, or in the post-nuke code running on it. 
> 
> I'm open to suggestions at this point.

Well, you can try to upgrade all of the web related software to the
newest stable versions, but you really want to try to figure what
exactly was compromised. In my experience, this was most likely a
vulnerability in some dynamic content software, such as a cgi or php
script of some kind.

Have you been through the web server logs? Sometimes if you can find
accesses just before or right at the time the exploit began, you can
get an idea of what script or whatever was used in an undesireable
way. Look at the error logs too, as whatever was done could have
generated an error. Of course, if the server logs got modifed in the
process, this may not help, but if they really didn't get root access,
you might be lucky.

You should also try to look through the files that make up your web
site(s) and see if there are any files that should not be there. This
kind of thing is commonly done by getting a script to write some
arbitrary data (like code) to a file, and then getting that or another
script to somehow execute that code.

That's a start anyway...

Steve

-- 
--------------------------------------------------------------------------
Steven Saner <ssaner@xxxxxxxxxxxxxxx>

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]