Our server has been hacked twice in a 3 weeks time:
at first we had a redhat70 fully patched and up to date. we never managed to find how: 1) he got in 2) he got root
he installed 3/4 rootkits and defaced all our html with a javascript/iframe pointing to http://viprating.com/rate and http://viprating.com/counter there, tripwire saved my life! neverless, we reinstalled every thing with a debian woody.
3 weeks later (4 days ago), the (same?) hacker broke in using: 1) an apache 1.3.26 shellcode which attempted to install linux.JAC virus from http://www.infosmolensk.ru/c [217.107.188.155] (beware! virus!), apparently failed to run The logs showed some shellcodes, followed by a wget 2) second apache 1.3.26 shellcode followed by an unknown root exploit The logs showed some shellcodes, but no command output Then he installed suckit rootkit, and defaced all our html with a javascript/iframe pointing to http://viprating.com/rate and http://viprating.com/counter
I found the attack came from a russian site, http://www.infosmolensk.ru [217.107.188.155], as a saw several established connections from this IP to our port 80 with apache stopped...
Yesterday, he tried once again, but hopefully apache 1.3.29 behaved better:
I hope this exploit will be found 'cause we updated apache and put a kernel without LKM, but could not find the exploit!!! Maybe the same exploit was used against the redhat... which means it might not be debian-specific! Once sure thing : it is the same hacker, cause the defacing was the same
Slashdot Mirror
Our server has been hacked twice in a 3 weeks time :
:
:
:
x fe\x84f\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x82\xe1 \xfd\xfe\x84f\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x 82\xe1\xfd\xfe\x84f" 501 - "-" "-"f e\x84f\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x82\xe1\ xfd\xfe\x84f\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x8 2\xe1\xfd\xfe\x84f
at first we had a redhat70 fully patched and up to date. we never managed to find how
1) he got in
2) he got root
he installed 3/4 rootkits and defaced all our html with a javascript/iframe pointing to http://viprating.com/rate and http://viprating.com/counter
there, tripwire saved my life!
neverless, we reinstalled every thing with a debian woody.
3 weeks later (4 days ago), the (same?) hacker broke in using
1) an apache 1.3.26 shellcode which attempted to install linux.JAC virus from http://www.infosmolensk.ru/c [217.107.188.155] (beware! virus!), apparently failed to run
The logs showed some shellcodes, followed by a wget
2) second apache 1.3.26 shellcode followed by an unknown root exploit
The logs showed some shellcodes, but no command output
Then he installed suckit rootkit, and defaced all our html with a javascript/iframe pointing to http://viprating.com/rate and http://viprating.com/counter
I found the attack came from a russian site, http://www.infosmolensk.ru [217.107.188.155], as a saw several established connections from this IP to our port 80 with apache stopped...
Yesterday, he tried once again, but hopefully apache 1.3.29 behaved better
access_log: 217.107.188.155 - - [27/Nov/2003:08:00:02 +0100] "\x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x82\xe1\xfd\
error_log: [Thu Nov 27 08:00:02 2003] [error] [client 217.107.188.155] Invalid method in request \x93OZ\xe0\xe6\xe6\xef\xaeDRRq\x8dg\x82\xe1\xfd\x
I hope this exploit will be found 'cause we updated apache and put a kernel without LKM, but could not find the exploit!!!
Maybe the same exploit was used against the redhat... which means it might not be debian-specific!
Once sure thing : it is the same hacker, cause the defacing was the same
don't forget to browse the websites mentionned in the top list... interesting for all geeks out there