Re: Apache attacks

[Dan Margolis <dmargoli+lists () af0 net>]

On Wed, Jan 26, 2005 at 08:56:52PM +0000, Kenny wrote:
> My server crashed yesturday and I had to restart it, to get it going 
> again. Now everything seems ok, however looking at my 
> /var/log/httpd/access_log.1 shows a visitor to the website posting some 
> big chunks of exploit code (containing a massive nop sled).
> How do I know if this attacker actually got in or not?

I'm assuming Apache segfaulted on you. But this doesn't tell you whether
the exploit was successful or not. You can try some standard auditing
procedures, e.g. scan for known rootkits, compare binary hashes to
known-good hashes, etc. You can also try the exploit yourself--with the
malicious code replaced with something less evil--and see if it actually
works. 

That's about all I can think of, though. 

It would also be good if you could give more details on the Apache
crash. Specifically, your version number, debugger output, and the
exploit. If this is an unknown exploit, it would be invaluable if you
could file a bug with the Apache project. You may want to keep this
confidential in that case, although since it's already in the wild, I
suppose that's probably less useful. 

-- 
Dan