> --- Randall Shaw <fedora@xxxxxxxxxxxxxxx> wrote: >>> On Sun, 2005-06-26 at 22:09 -0400, Mailing List >> Receiver wrote: >>>> Ever since we found and stopped a phishing site >> that had been planted >>>> on our server to run as the default site under >> Apache, we have been under >>>> constant attack. Presumably, the perpretrators >> did not appreciate that >>>> we made their millions of scam emails >> ineffective. >>>> >>>> So, today I just happen to get a feeling that I >> should check for rootkits. >>>> Sure enough, someone had a listener at port 3049 >> and lsof showed the owner >>>> as being Apache. More investigation shows the >> following in /tmp >>> >>> *snip* >>> >>> I'd be more inclined to guess that there actually >> is a hole in a web app >>> you are running - you are a hosting service, >> correct? >>> >>> A lot of hacks are done through insecure hosting >> software - maybe cpanel >>> or something like that. >> >> We had a spammer hack in through apache on a redhat >> box a month ago. He got >> in through a clients installed/used phpBB board (of >> course). The spammer >> installed shv5 and proceeded to send out millions of >> emails, of which our >> courier server promptly rejected doing so, so no >> harm was REALLY done. >> >> Took a while to get rid of the files, as we had to >> backtrack through the >> install process of shv5. We canned all our clients >> use of phpBB and the >> machine has been clean since. >> >> Just our experiences, maybe of some help to you. >> >> >> -Randall Shaw > What means did you use to conclude that the exploit is > in FC3 or Apache? You should go through your logs > properly and come back with how the intruders actually > got in. > > Judging by the rash nature you have used to conclude > thats its Apache or FC3 at fault i would not be > surprised if you were runnning phpbb 2.06, vulnerable > AWSTATS or gallery software. Hey, it wasn¹t ME who was thinking FC3 or apache had the vulnerability. I was merely noting that a while back, on ANOTHER machine (non Fedora), we had a hack in via phpBB a client was running in their web dir. Someone else noted they also had the same event in their life, as a possibility to the answer to the original message from the guy who thought FC3 might have an exploit. FC3 and apache are pretty solid. They are only as vulnerable as the 'junk' that is run from within them (same goes for PHP, or any other opensource service that has user contributed scripts or applications). We have logs, we have all sorts of junk in regards to our own hacked event, but I won't paste it all here, as it serves no purpose, as it is unrelated to FC3 or Apache. -Randall Shaw
