LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 04-28-2010, 09:36 AM   #1
philwynk
Member
 
Registered: Sep 2007
Posts: 84

Rep: Reputation: 15
Apache hack: how do I block it?


Somebody apparently tried to hack my tiny server today. It's a LAMP server: Fedora core 12, Apache, mySQL, PHP on an AMD 64.

My server hung, so I rebooted the system and looked in the httpd log. I found repeated instances of this command near the time of the crash:

Quote:
212.95.54.43 - - [28/Apr/2010:09:17:46 -0400] "POST /wp-content/uploads/2009/10/anpdyv8v.php? HTTP/1.0" 200 2 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)"
The file anpdyv8v.php was dated 24/APR/2010, but the directory is a dated directory for graphic images posted to the blog in Oct 2009, so I know it's not mine, and I know it appeared recently.

The file consists of a single php "eval(base64 decode" statement, which is pretty clearly an encrypted application file in php.

I changed the ownership of the file so apache can't read it anymore ( it was owned by apache.web, which is the account under which apache runs), but I'm very concerned that somebody was able to post a rogue file on my server as "apache."

How did they do that, and how can I prevent them from doing it again?

BTW, the IP address traces to a server in Belarus.

Thanks for any and all suggestions in advance.

Phil Weingart
 
Old 04-28-2010, 10:37 AM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Drop the route to the ip address/network in belarus if that's not somewhere you'd expect legitimate traffic. Then go back through your logs and figure out how they got in. In all likelihood it was a bad password or a known bug on an older version of wordpress. Make sure all your applications and utilities are up to date including webapps. I would also suggest that as a minimum effort you run chkrootkit and rkhunter over the system as a safe guard against potentially being rooted.
 
Old 04-28-2010, 11:44 AM   #3
nowonmai
Member
 
Registered: Jun 2003
Posts: 481

Rep: Reputation: 48
Quote:
Originally Posted by philwynk View Post
How did they do that, and how can I prevent them from doing it again?
It looks like you are using Wordpress, so it's possible the hack was as a result of a vulnerability there. Always patch your webapps!
It's also possible that the uploads directory is world-writeable... you'd be amazed how often this is recommended in webapp installation notes.
 
Old 04-28-2010, 11:54 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,688
Blog Entries: 54

Rep: Reputation: 2956Reputation: 2956Reputation: 2956Reputation: 2956Reputation: 2956Reputation: 2956Reputation: 2956Reputation: 2956Reputation: 2956Reputation: 2956Reputation: 2956
Quote:
Originally Posted by rweaver View Post
Drop the route to the ip address/network in belarus if that's not somewhere you'd expect legitimate traffic.
Please note that if the intruder uses proxies in different TLDs that doesn't make sense (or keep adding IP addresses).

The other advice wrt running an unpatched version of Wordpress and or having world-writable U/L dirs and checking logs I agree are good starting points. Next to patching immediately and running file integrity verification I suggest running mod_security and fail2ban as it comes with web-server log filters.
 
  


Reply

Tags
apache, hack, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
php and apache hack ajk48n Linux - Security 13 07-20-2006 11:17 AM
I really need help. Looks like everybody is trying to hack my apache server stormrider_may Linux - Security 2 02-23-2006 07:32 PM
Apache logs - Hack attempt or not? lawadm1 Linux - Software 6 11-06-2004 12:53 AM
Apache source code hack - Server response headers 2.0.49 fireman949 Linux - Software 2 05-24-2004 11:31 AM
Apache hack? patpawlowski Linux - Security 6 02-09-2004 02:30 PM


All times are GMT -5. The time now is 06:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration