Sergio Cuéllar Valdés píše v Po 21. 08. 2006 v 09:51 -0500: > On 8/21/06, David Siroky <[EMAIL PROTECTED]> wrote: > > Hi! > > > > I have an urgent situation. On one of my servers disapeared all apache > > "error.log" and "access.log" files and other files containing "logo" or > > "login". I found some unknown processes. > > > > # ps -el > > ... > > 1 S 5000 1008 1 0 75 0 - 572 - ? 00:00:16 iroffer > > 0 S 5000 7574 1 0 76 0 - 1390 - ? 00:02:28 sifler.pl > > Ooops, you should disconnect your box from the network, and then > check that files. > > Do you have some LAMP application running in your server ? > > Check the meesages files. > >
I have LAMP (PHP). After an investigation I found that there was only a iroffer bot (http://iroffer.org/), process faker and somebody used tools from http://fullzonelista.altervista.org/ to make my server a warez server. chkrootkit and rkhunter don't report any rootkits and those processes were so obvious that I assume I found all the "bad" files. The attack came through an apache2 so the attackers were able to manipulate only web files (they had only http server priviledges). Attackers deleted all access.log and error.log files (which I had among the web files) so I can't trace the security hole. I know that there is a security issue in mod_rewrite but I don't use it. Maybe PHP is unsafe. It is a mystery to me. Now I "doubled" the apache logging so next time they will not be able to delete all "entry" evidence (I hope they will attack again :-). David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
