Mailing List
Home
Forum Home
Linux - General Red Hat Linux discussion list
Installation - Getting started with Red Hat Linux
Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)
Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)
Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)
Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)
Apache Web Server
Oracle database, Microsoft SQL server ...
Subjects
application/x mplayer2 plugin
RPM error: db4 error(16) from dbenv >remove: Device or resource
   busy
Command stream end of file while reading
X Windows problem (xauth)
Upgrading openoffice 1 1 rpm
FTP: connection refused
FTP: connection refused
mount: /dev/cdrom: is not a valid block device
Dell Precision 650, RedHat 9, no sound
how to trace the cause resulting in the crash of bind server
Virus on the list
UNINSTALL RPM MYSQL
usb pen drives: mounting as a user
broadcom network interface
make mrproper
Couldn 't open PID file /var/run/named/named pid Permission denied
sendmail configuration on redhat
kernel 2 6 and /dev/sound/mixer not found
Promise 378 controller
Problem using up2date
mrtg step by step howto/configuration for a newbie?
Compiling and Installing Kernel 2 6
Can 't locate module ppp0, can 't locate module ppp compress 21
Lotus Notes under Wine
HOW I CAN MAKE BOOTABLE FLOPPY DISKET
/etc/security/limits conf question
Intel E/1000 driver
rpm database corrupt
Command stream end of file while reading
qla2300 modules
 
hacked?

hacked?

2007-04-08       - By Marc

 Back
Reply:     1     2     3     4     5     6     7     8     9     10     >>  

Are you running SELinux?  I know that you can use that to harden the machine
to the point of not allowing someone to even ls and see any files, or not cd
to directories you don't want, etc.  If your version of RH is fairly recent,
you probably have that option already, if not you can likely install it
anyway.

Marc



On 4/7/07, Harold Hallikainen <harold@(protected)> wrote:
>
> It looks like my system has been hacked! It looks like someone in Russia
> uploaded a php script, then wandered around my system, then deleted the
> script. Im running phpwiki, which allows for uploads. Apparently, it
> allows for php scripts to be uploaded. I kinda thought php didn't allow
> access outside the public_html director, but it looks like they've
> wandered through the system. Here are a few lines from the log...
>
> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
>
> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
>
> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>
> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>
> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200 209
>
> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200 119
>
> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200 119
>
> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
>
> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
>
> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200 200
>
> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
> HTTP/1.1" 200 2867
>
> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
>
> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold
%2Fpublic_html%2Fmusic
> HTTP/1.1"
>
> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
>
> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
>
>
> Looking through the logs, it appears that only stuff in the public_html
> directory was accessed. I'm still looking, though.
>
> I'm guessing I should really do a fresh install of the OS and everything.
> I'll look at security fixes for phpwiki, or maybe get rid of it.
>
> Any other ideas on securing the system?
>
> THANKS!
>
> Harold
>
>
> --
> FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
> opportunities available!
>
> __ ____ ____ ____ ____ ____ ____ ____ ____ ____
> Redhat-install-list mailing list
> Redhat-install-list@(protected)
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request@(protected)
> Subject: unsubscribe
>

Are you running SELinux?&nbsp; I know that you can use that to harden the
machine to the point of not allowing someone to even ls and see any files, or
not cd to directories you don&#39;t want, etc.&nbsp; If your version of RH is
fairly recent, you probably have that option already, if not you can likely
install it anyway.&nbsp;
<br><br>Marc<br><br><br><br><div><span class="gmail_quote">On 4/7/07, <b class=
"gmail_sendername">Harold Hallikainen</b> &lt;<a href="mailto:harold@(protected)
.com">harold@(protected)</a>&gt; wrote:</span><blockquote class="gmail_quote
" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex;
padding-left: 1ex;">
It looks like my system has been hacked! It looks like someone in Russia<br
>uploaded a php script, then wandered around my system, then deleted the<br
>script. Im running phpwiki, which allows for uploads. Apparently, it<br>
allows for php scripts to be uploaded. I kinda thought php didn&#39;t allow<br
>access outside the public_html director, but it looks like they&#39;ve<br
>wandered through the system. Here are a few lines from the log...<br>
<br><a href="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01:19:39
-0700] &quot;POST<br>/BroadcastHistory/index.php/UpLoad HTTP/1.1&quot; 200 6602
<br><br><a href="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01:19:58
-0700] &quot;GET
<br>/BroadcastHistory/uploads/100.php3 HTTP/1.1&quot; 200 160099<br><br><a href
="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01:23:24 -0700] &quot
;POST<br>/BroadcastHistory/index.php/UpLoad HTTP/1.1&quot; 200 6604
<br><br><a href="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01:23
:24 -0700] &quot;POST<br>/BroadcastHistory/index.php/UpLoad HTTP/1.1&quot; 200
6604<br><br><a href="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01
:23:48 -0700] &quot;GET
<br>/BroadcastHistory/uploads/100.php.3?act=img&amp;img=home HTTP/1.1&quot; 200
209<br><br><a href="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01
:23:49 -0700] &quot;GET<br>/BroadcastHistory/uploads/100.php.3?act=img&amp;img
=back HTTP/1.1&quot; 200 119
<br><br><a href="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01:23
:49 -0700] &quot;GET<br>/BroadcastHistory/uploads/100.php.3?act=img&amp;img
=forward HTTP/1.1&quot; 200 119<br><br><a href="http://89.110.7.202">
89.110.7.202</a> - - [07/Apr/2007:01:23:50 -0700] &quot;GET<br>
/BroadcastHistory/uploads/100.php.3?act=img&amp;img=up HTTP/1.1&quot; 200 199<br
><br><a href="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01:23:46
-0700] &quot;GET
<br>/BroadcastHistory/uploads/100.php.3 HTTP/1.1&quot; 200 18400<br><br><a href
="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01:23:50 -0700] &quot
;GET<br>/BroadcastHistory/uploads/100.php.3?act=img&amp;img=refresh HTTP/1.1
&quot; 200 200
<br><br><a href="http://89.110.7.202">89.110.7.202</a> - - [07/Apr/2007:01:24
:40 -0700] &quot;GET<br>/BroadcastHistory/uploads/100.php.3?act=ls&amp;d=%2Fhome
%2Fharold%2F&amp;sort=0a<br>HTTP/1.1&quot; 200 2867<br><br><a href="http://91
.122.3.139">
91.122.3.139</a> - - [07/Apr/2007:01:28:20 -0700] &quot;GET<br>
/BroadcastHistory/uploads/100.php.3?act=chmod&amp;f=temp&amp;d=%2Fhome%2Fharold
%2Fpublic_html%2Fmusic<br>HTTP/1.1&quot;<br><br><a href="http://91.122.3.139">91
.122.3.139
</a> - - [07/Apr/2007:01:36:27 -0700] &quot;GET<br>/BroadcastHistory/uploads
/100.php.3?act=selfremove HTTP/1.1&quot; 200 2975<br><br><a href="http://91.122
.3.139">91.122.3.139</a> - - [07/Apr/2007:01:36:35 -0700] &quot;GET
<br>/BroadcastHistory/uploads/100.php.3?act=selfremove&amp;rndcode=767&amp
;submit=767<br><br><br>Looking through the logs, it appears that only stuff in
the public_html<br>directory was accessed. I&#39;m still looking, though.
<br><br>I&#39;m guessing I should really do a fresh install of the OS and
everything.<br>I&#39;ll look at security fixes for phpwiki, or maybe get rid of
it.<br><br>Any other ideas on securing the system?<br><br>THANKS!<br>
<br>Harold<br><br><br>--<br>FCC Rules Updated Daily at <a href="http://www
.hallikainen.com">http://www.hallikainen.com</a> - Advertising<br>opportunities
available!<br><br>__ ____ ____ ____ ____ ____ ____ ____ ____ ____<br>
Redhat-install-list mailing list<br><a href="mailto:Redhat-install-list@(protected)
.com">Redhat-install-list@(protected)</a><br><a href="https://www.redhat.com
/mailman/listinfo/redhat-install-list">https://www.redhat.com/mailman/listinfo
/redhat-install-list
</a><br>To Unsubscribe Go To ABOVE URL or send a message to:<br><a href="mailto
:redhat-install-list-request@(protected)">redhat-install-list-request@(protected)<
/a><br>Subject: unsubscribe<br></blockquote></div><br>

__ ____ ____ ____ ____ ____ ____ ____ ____ ____
Redhat-install-list mailing list
Redhat-install-list@(protected)
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@(protected)
Subject: unsubscribe