Apache Security Problem - need help

[Fabio Saber <php-sec () f-s at>]

Hallo Liste,

ich stehe hier vor einem gröberen Problem. Auf mein System (Debian) 
wurde ein Angriff über (ich vermute mal) Apache (Apache/1.3.33) 
durchgeführt.
Ich gehe davon aus, dass irgendwie Session Daten manipuliert worden sind 
und dadurch Dateien downgeloadet wurden.

Ein Auszug aus der Apache error.log zeigt folgendes:

Hello list,

I've some troubles with Apache (1.3.33) on a Debian system. I suppose 
that someone manipulated active sessions (PHP) and got access to my system.
A short extract from my apache error.log

-------------------
error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
sh: line 1: cd: .sess_f345236263adsdadas2737237723: No such file or 
directory
--19:32:36--  http://mrx88.altervista.org/iroffer.tar
         => `iroffer.tar'
Resolving mrx88.altervista.org... done.
Connecting to mrx88.altervista.org[67.15.189.15]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 126,773 [application/x-tar]

  0K .......... .......... .......... .......... .......... 40%   66.14 
KB/s
 50K .......... .......... .......... .......... .......... 80%  146.63 
KB/s
100K .......... .......... ...                             100%  208.79 
KB/s

19:32:38 (102.23 KB/s) - `iroffer.tar' saved [126773/126773]

error: 'kern.ostype' is an unknown key
error: 'kern.osrelease' is an unknown key
sh: line 1: cd: .sess_f345236263adsdadas2737237723: No such file or 
directory
-------------------

I can't understand why these lines are in the error.log?
Also some other files have been loaded: 
http://mrx88.altervista.org/xhide.c   and 
http://ninobuccheri86.altervista.org/zxcv.

The downloaded program has also been compiled and started.

Thanks for help!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/