[aclug-L] Re: Problems
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
On Fri, 2005-10-21 at 11:09 -0500, Dale W Hodge wrote:
> Hello guys! I've got some problems and I'm looking for advice in how to
> deal with them.
>
> Sometime in the past few days, somebody exploited a weakness in my web
> server, overwrote the index.html files on all my domains. About the same
> time, it appears they appear to have utilized the mailer capabilites of
> the webserver to mail out in excess of 10,000 pieces of spam! It was
> when the bounce messages started flooding my mailbox that I realized I
> had a problem. There's no evidence that anyone gained root access, it
> looks like it was just a webserver exploit.
>
You should be able to tell what exactly happened and when by the logs
and by the file timestamps.
There is a known weakness in some of the phpbb code, and postnuke as
well unless you have the latest code updates installed.
> The question is how best to secure the server and prevent this from
> happening again. I'm not sure just what they exploited, whether it was
> in apache itself, or in the post-nuke code running on it.
>
I don't know of any explicit weaknesses in the latest apache, but
definitely in php code if not up to date.
Who owned the directories and files that were overwritten? If they
belonged to apache (or rather the user the web server runs as) then
anyone able to exploit the code weaknesses can write in those
directories.
And spam is a weakness that should be limited by requiring anyone
sending mail thru the web interface to be logged in. If yours does not
then you should consider fixing that.
> I'm open to suggestions at this point.
>
> --Dale
>
>
> -- This is the discussion@xxxxxxxxx list. To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
-- This is the discussion@xxxxxxxxx list. To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
|
|