Bugtraq mailing list archives
Re: Apache hacks (./atac, d0s.txt)
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Fri, 29 Apr 2005 14:49:42 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 29 Apr 2005, Andrew Y Ng wrote:
My server has been seeing some usual activities today, I don't have much time to get down to the bottom of things, but after I investigated briefly I have decided to disable PERL executable permission for www-data (Apache process's user), also locked /var/tmp so www-data cannot write to it.Looks like it ignores all the `kill` signals, not sure how I can actually kill it...
Seems a bit premature to call this an "Apache hack." First off, it's probably not Apache's fault. Judging from what I've seen thus far, it looks more like a flaw in one of your CGI scripts which allowed someone to create and execute an arbitrary file in one of the system's most obvious world-writable directories.
From what I've seen, the script looks like a vanilla, PERL-based IRC bot. You should be able to kill -9 it via root.
Either way, your system got molested. Take the box offline, back up your data, audit your CGI scripts and access policies for flaws and weaknesses, scrub the system, reinstall the OS from trusted media, apply all the latest patches, bring the box back online, and have a nice day.
- -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| \----- Jay D. Dyson -- jdyson () treachery net -----/ | = |-' `--' `--' `-- Pardon me, but am I on the right planet? --' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQFCcqv9xzN3WIW0edsRAiVfAKCACT2YlymlkBvDuhMVCHY2zqubOwCffTZm ZzGeGHgc8KpjDCUx33zhtPg= =xvyc -----END PGP SIGNATURE-----
Current thread:
- Re: Apache hacks (./atac, d0s.txt) a.list.address () gmail com (May 02)
- Re: Apache hacks (./atac, d0s.txt) Nick Bright (May 02)
- <Possible follow-ups>
- Re: Apache hacks (./atac, d0s.txt) Chris Umphress (May 02)
- Re: Apache hacks (./atac, d0s.txt) Sagiko (May 02)
- Re: Apache hacks (./atac, d0s.txt) Daniel Cid (May 02)
- Re: Apache hacks (./atac, d0s.txt) Luiz Henrique (May 02)
- Re: Apache hacks (./atac, d0s.txt) Skip Carter (May 02)
- Re: Apache hacks (./atac, d0s.txt) Robert Zilbauer (May 02)
- Re: Apache hacks (./atac, d0s.txt) KF (lists) (May 02)
- Re: Apache hacks (./atac, d0s.txt) Jay D. Dyson (May 02)
- Re: Apache hacks (./atac, d0s.txt) Steve Kemp (May 02)