Server Hacked
Warren Barrow
warren at barrow.cc
Fri Aug 19 18:00:34 UTC 2005
I am almost certain that the system was compromised due to b2evolution
(phpBB, too, if it uses xmlrpc). Many PHP applications are vulnerable
due to issues within XML RPC, specifically http://<host>/xmlrpc.php ..
There are readily available exploits available that will give the
attacker a command line via this vector. With that said - if you
configured Apache to run as a restricted user (ie: nobody), then the
attacker would have only modified pages in which the restricted account
had access to write.
There are mass autorooter worms traveling around that perform this
automatically: successfully exploit, change all index.* pages, drop an
IRC/DDos Daemon into a hidden (or not so hidden directory. hint: check
/tmp for weird binaries and other files).
Run a find command to look for all modified files within the last N hours.
for all files owned by nobody and modified within the lat 24 hours ( N x 24)
find / -user nobody -mtime -1 -print
run this perl script to exploit yourself:
http://www.milw0rm.com/id.php?id=1084
Other reading:
http://phpxmlrpc.sourceforge.net/
-Warren
Matt Thorne wrote:
>Personally I think that you would find alot of mostly related information at
>
>Honeynet.org
>
>under tools they have some programs that allow you to interrogate hacked comps.
>The thing that might be most interesting is to look in the
>"whitepapers" section and see how they respond to their hacked
>computers. I realize that this isn't a how-to or a step by step, but I
>am pretty certain that the information will be useful to you.
>
>Good luck
>
>-=Matt=-
>
>
>
>>Anyway, this is getting even more off-topic.
>>
>>I'm still sort of surprised that this group of what I thought was fairly
>>skilled developers hasn't provided one link or suggestion on how best to
>>1) identify the vulnerability exploited on a hacked server or 2)
>>identify the likely perpetrator of a defacement. Searching around I find
>>lots about how to prevent hacks in the first place but very little
>>that's helpful in dealing with it once it's happened.
>>
>>Brian
>>
>>
>>
>
>
>
More information about the tor-talk
mailing list