Security Basics mailing list archives
Re: Apache attacks
From: Dan Margolis <dmargoli+lists () af0 net>
Date: Fri, 28 Jan 2005 12:39:31 -0500
On Wed, Jan 26, 2005 at 08:56:52PM +0000, Kenny wrote:
My server crashed yesturday and I had to restart it, to get it going again. Now everything seems ok, however looking at my /var/log/httpd/access_log.1 shows a visitor to the website posting some big chunks of exploit code (containing a massive nop sled). How do I know if this attacker actually got in or not?
I'm assuming Apache segfaulted on you. But this doesn't tell you whether the exploit was successful or not. You can try some standard auditing procedures, e.g. scan for known rootkits, compare binary hashes to known-good hashes, etc. You can also try the exploit yourself--with the malicious code replaced with something less evil--and see if it actually works. That's about all I can think of, though. It would also be good if you could give more details on the Apache crash. Specifically, your version number, debugger output, and the exploit. If this is an unknown exploit, it would be invaluable if you could file a bug with the Apache project. You may want to keep this confidential in that case, although since it's already in the wild, I suppose that's probably less useful. -- Dan
Current thread:
- Apache attacks Kenny (Jan 27)
- Re: Apache attacks Bernie Johnson (Jan 27)
- Re: Apache attacks Micheal Cottingham (Jan 28)
- Re: Apache attacks bernie (Jan 28)
- Re: Apache attacks KillKenny (Jan 28)
- Re: Apache attacks Dan Margolis (Jan 28)
- Re: Apache attacks Ty Bodell (Jan 31)
- <Possible follow-ups>
- Re: Apache attacks miguel . dilaj (Jan 31)
- Re: Apache attacks Bernie Johnson (Jan 27)