David Kaplowitz on 17 Jan 2005 05:45:45 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Websites Defaced, any advice?


Well I noticed tonight that one of my web sites got defaced. I was
rather chagrined as this is the first time I've been hacked after
running public services for over 2 years. 

Upon closer inspection I noticed that every virtual host in my
httpd.conf's index.html (about 8-9 sites) had been replaced by a lame index page by some
Albanian political script kiddies. Although I've yet to find the smoking
gun in my log files, I'm 99% positive they exploited weaknesses in my
configuration (or lack thereof) of PHP/MySQL (and a few popular CMSes,
TikiWiki and Wordpress). I'd noticed some problems a couple of weeks ago
with my MySQL when I received a spam attack on my Wordpress blog, when I
tried logging into the DB, I wasn't able to authenticate and assumed
there was a configuration issue. Unfortunately I kept procrastinating
looking further into it, which may have been my demise. So much for
slacking on fixing problems. 

I'm running Apache 1.3.29 on OpenBSD 3.6-STABLE, (note 1.3.29 is
OpenBSD's security patched Apache, they actually don't recommend using
1.3.33 from apache.org for both licensing and security reasons), PHP
4.3.8 and MySQL 4.0.20...all in a chroot'ed environment.

I've run chkrootkit on the box and nothing comes up, none of the
authlog/secure logs look odd. The modded index.htmls are dated with
yesterday's date. My apache logs weren't revealing much that was readily
apparent, but I did notice a lot of odd stuff related to what appeared
to be scripts trying undeclared variables against the server. I've yet
to look into it deeper. I've disable all public services on the box, and
presently tarring up all the partitions and am going to reinstall, this
time I'm not going to even install PHP or MySQL until I can get to the
bottom of the exploit. I'd feel confident running a base Apache on
OpenBSD again. 

Anyway, can any of you recommend any further actions to take on this
first invasion? I'm sure I missed some things. But I'm pretty convinced
that it's very unwise to be lazy when you're running the PHP/MySQL combo
on a public server, esp. with some of these CMSes that are popular.

Thanks in advance for any input. And sorry it's not 
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug