Re: [users@httpd] site compromised and httpd log analysis

2022-07-05 Thread Yehuda Katz 
Your log doesn't start early enough. Someone uploaded a web shell (or found
an existing web shell) to your server, possibly using an upload for that
doesn't validate the input, then used that shell to run commands on your
server.
I would consider your entire server to be compromised at this point since
you have no record of what else the attacker could have done once they had
a shell.

Make sure that you do not allow users to upload files and then execute
those files.

- Y

On Tue, Jul 5, 2022 at 9:53 PM KK CHN  wrote:

> https://pastebin.com/YspPiWif
>
> One of the websites hosted  by a customer on our Cloud infrastructure was
> compromised, and the attackers were able to replace the home page with
> their banner html page.
>
> The log files output I have pasted above.
>
> The site compromised was PHP 7 with MySQL.
>
> From the above log, can someone point out what exactly happened and how
> they are able to deface the home page.
>
> How to prevent these attacks ? What is the root cause of this
> vulnerability  and how the attackers got access ?
>
> Any other logs or command line outputs required to trace back kindly let
> me know what other details  I have to produce ?
>
> Kindly shed your expertise in dealing with these kind of attacks and trace
> the root cause and prevention measures to block this.
>
> Regards,
> Krish
>
>
>

[users@httpd] site compromised and httpd log analysis

2022-07-05 Thread KK CHN 
https://pastebin.com/YspPiWif

One of the websites hosted  by a customer on our Cloud infrastructure was
compromised, and the attackers were able to replace the home page with
their banner html page.

The log files output I have pasted above.

The site compromised was PHP 7 with MySQL.

>From the above log, can someone point out what exactly happened and how
they are able to deface the home page.

How to prevent these attacks ? What is the root cause of this
vulnerability  and how the attackers got access ?

Any other logs or command line outputs required to trace back kindly let me
know what other details  I have to produce ?

Kindly shed your expertise in dealing with these kind of attacks and trace
the root cause and prevention measures to block this.

Regards,
Krish

Re: [users@httpd] NameVirtualHost fails

2022-07-05 Thread jnil...@jala.com 
I've tried several variations but basically the error message is that the 
certificate and the key for example2.com  don't match. I 
thought I had set up the certificate with the proper keys so something must be 
screwed up  with the certificate. I'm working on that.

Jack

> On 2 Jul 2022, at 1:21, Frank Gingras  wrote:
> 
> What does the error log say, exactly? Note that TLS failures can be almost 
> silent in the logs, so if a single vhost causes the startup error, then check 
> the certificate.
> 
> On Fri, 1 Jul 2022 at 17:24, jnil...@jala.com  
> mailto:jnil...@jala.com>> wrote:
> Here's an example version of my vhosts.conf file:
> 
> # http redirect
> 
>  ServerName central.com 
>  ServerAlias www.example1.com  *.example1.com 
> 
>  Redirect / https://www.example1.com/ 
>  ErrorLog /var/log/apache2/example1.com -error80_log
>  CustomLog /var/log/apache2/example1.com -access80_log 
> combined
> 
> 
> 
>  ServerName example2.com 
>  ServerAlias www.example2.com  *.example2.com 
> 
>  Redirect / https://www.example2.com/ 
>  ErrorLog /var/log/apache2/example2.com -error80_log
>  CustomLog /var/log/apache2/example2.com -access80_log 
> combined
> 
> 
> # https version
> 
>  ServerAdmin webmas...@central.com 
>  ServerName example1.com 
>  ServerAlias www.example1.com  *.example1.com 
> 
>  DocumentRoot "/home/data/hqwww/htdocs"
>  SSLEngine on
>  SSLProtocol all -SSLv2
>  SSLCertificateFile /etc/apache2/ssl.crt/example.crt
>  SSLCertificateKeyFile /etc/apache2/ssl.key/www.example1.com.key 
> 
>  SSLCertificateChainFile /etc/apache2/ssl.crt/example1.ca 
> -bundle
>  RewriteEngine On
>  RewriteOptions Inherit
> 
> 
>  
>   AllowOverride None
>   Options FollowSymlinks
>   Require all granted
>  
> 
> 
>   AccessFileName .htaccess
> 
>  ErrorLog /var/log/apache2/example1.com -error_log
>  CustomLog /var/log/apache2/example1.com -access_log 
> combined
> 
> 
>   Include /etc/apache2/conf.d/*.conf
> 
> 
> 
> 
>   ServerAdmin webmas...@central.com 
>   ServerName example2.com 
>   ServerAlias www.example2.com  *.example2.com 
> 
>   DocumentRoot "/home/data/jmnwww/htdocs"
>   SSLEngine on
>   SSLProtocol all -SSLv2
>   SSLCertificateFile /etc/apache2/ssl.crt/example2.crt
>   SSLCertificateKeyFile /etc/apache2/ssl.key/www.example2.com.key 
> 
>   SSLCertificateChainFile /etc/apache2/ssl.crt/example2.ca 
> -bundle
>   RewriteEngine On
>   RewriteOptions Inherit
> 
>  
> ##  To make the site work with pretty permalinks use the next 2 uncommented 
> lines.
> ##  Otherwise use 'Options None' and 'AllowOverride None'
>   AllowOverride all
>   Options FollowSymlinks
>   Require all granted
>  
> 
>   AccessFileName .htaccess
> 
>  ErrorLog /var/log/apache2/example2.com -error_log
>  CustomLog /var/log/apache2/example2.com -access_log 
> combined
> 
> Include /etc/apache2/conf.d/*.conf
> 
> 
> If I drop the second host (example2), leaving just example1 it works; with 
> both hosts apache crashes on restart. Here is  the failure message output for 
> that case.
> 
>  systemctl status apache2.service
> ● apache2.service - The Apache Webserver
>  Loaded: loaded (/usr/lib/systemd/system/apache2.service; enabled; vendor 
> preset: disabled)
>  Active: failed (Result: exit-code) since Fri 2022-07-01 14:12:39 PDT; 
> 6min ago
> Process: 29193 ExecStart=/usr/sbin/start_apache2 -DSYSTEMD -DFOREGROUND 
> -k start (code=exited, status=1/>
>Main PID: 29193 (code=exited, status=1/FAILURE)
>  Status: "Reading configuration..."
> 
> Jul 01 14:12:39 donner systemd[1]: Starting The Apache Webserver...
> Jul 01 14:12:39 donner start_apache2[29193]: AH00548: NameVirtualHost has no 
> effect and will be removed in t>
> Jul 01 14:12:39 donner systemd[1]: apache2.service: Main process exited, 
> code=exited, status=1/FAILURE
> Jul 01 14:12:39 donner systemd[1]: apache2.service: Failed with result 
> 'exit-code'.
> Jul 01 14:12:39 donner systemd[1]: Failed to start The Apache Webserver.
> 
> 
>> On 30 Jun 2022, at 16:24, Frank Gingras > > wrote:
>> 
>> That is one assumption, sure. Best to have the user run apachectl -S to 
>> confirm. For all we know, they could have defined invalid vhosts.
>> 
>> On Thu, 30 Jun 2022 at 16:54, > > wrote:
>> You are missing

[users@httpd] Apache 2.4 and php

2022-07-05 Thread Paul 



I'm going nowhere for what must be a small glitch.  Ubuntu server 
20.04LTS, Apache/2.4.41 (Ubuntu) using mpm_prefork behind Nginx proxy 
server.


We use php 7.4 for many thousands of static pages that use e.g. include 'inc/tophead.html';?> giving us " lang="en"> , css, js, etc" sent to clients. Always reliable, 
production and backup machines delivering perfectly for many years.


Just built a sandbox (to start looking at Apache Solr) as an exact 
replica of our production servers (but without letsencrypt), exact down 
to every file, version, release, permission, owner, dot and comma as far 
as I can see after hours of searching around.


The sandbox is delivering "raw text" , 
not the content of the included file. Log files give no clue -- apache 
just "200" responses for the  text and images, but obviously not 
the css, js, layout -- syslog, auth, nginx and php exactly the same as 
on the production servers.


Suggestions, pointers, ideas would be warmly welcomed -- and save what's 
left of my sanity ;=}


Many thanks,
Paul

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org