Morgan I did not have Tripwire installed. Will do that :) The problem is that I can't find the files that were modified. As I indicated in the initial email, the hackers page started to show up at some point, then STOPPED, then, in 20 minutes started again, nd then stopped again. After that I shut down apache. So, I am even clueless where to search for the logs.
The only thing that is relevant to the attach is this: mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:17 -0500] "GET //phpmyadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6. mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:18 -0500] "GET //pma/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wind mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:19 -0500] "GET //admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:20 -0500] "GET //dbadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:20 -0500] "GET //mysql/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:21 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:22 -0500] "GET //myadmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:22 -0500] "GET //PHPMYADMIN/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6. mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:23 -0500] "GET //phpMyAdmin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6. mysite.com:80 218.8.251.187 - - [02/Apr/2010:13:44:24 -0500] "GET //p/m/a/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 675 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Wi So, I suspect that the vulnerablity might have been in the phpmyadmin. Could it be there? Or is the chaler was trying to find the most common ways to get in? Oleg. On Sun, Apr 4, 2010 at 3:28 AM, Morgan Gangwere <0.fracta...@gmail.com>wrote: > On 4/3/2010 4:24 PM, Oleg Goryunov wrote: > >> >> THe problem is that I do not see any files changed on the server (and >> thus cannot check the owner of them). Where should I look for the >> possible evidence of someone else being there? >> > > Do you have Tripwire installed? > If so, just look at its logs :) > > Otherwise, I'd look carefully at the dates that things were modified. you > *do* have backups, right? > > -- > Morgan Gangwere > > >> Why? > > Because it breaks the logical flow of conversation, plus makes messages > unreadable. > >>> Top-Posting is evil. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
