[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Apache Hole?



Hi,

>  if you check the files below, they are owned by the apache user.
> 
> My apache is linux:/tmp # rpm -q apache -> apache-1.3.27-82
> 
> Anyone know of existing security leaks for this?

apache can be patched and without security holes but what is with
other apache modules or scripts?! check this also!

the entries in your directory list like "..." and "...." are not
normal, chack what is in this directories! (i thik your machine
was hacked and you shold disconnect it from network, backup all
logs, grep for open connection and processes for research purposes
and make a clean install of the system!)

chack running process and opened network connections, check for
rootkits (also the services that are in LISTEN mode)

> Below-> listing of temp files,anyone seens this before? 
> 
> drwxrwxrwt   25 root     root         1640 Jan 31 12:45 .
> drwxr-xr-x   22 root     root          512 Dec  5 14:52 ..
> drwxr-xr-x    8 wwwrun   nogroup       640 Jan 21 10:49 ...
> drwxr-xr-x    2 wwwrun   nogroup        48 Jan 28 15:17 ....
> -rwxr-xr-x    1 wwwrun   nogroup       838 Dec 15 12:49 .rHgmHsb
> -rw-r--r--    1 wwwrun   nogroup    424644 Oct 15 04:46 ary.tgz.tgz
> -rwxr-xr-x    1 wwwrun   nogroup     19580 Jan 28 15:17 bindtty
> -rwxr-xr-x    1 wwwrun   nogroup     15003 Aug  5 20:17 cbd
> -rwxr-xr-x    1 wwwrun   nogroup     17897 Jan 31 08:26 cgi
> -rwxrwxrwx    1 wwwrun   nogroup     15029 Jan 31 08:42 cgi.1
> -rw-r--r--    1 wwwrun   nogroup     11805 Jan 31 08:42 dc
> -rw-------    1 wwwrun   nogroup      8952 Jan 30 10:22
> -rwxrwxrwx    1 wwwrun   nogroup    170613 Dec  5 06:45 telnetd
> -rwxrwxrwx    1 wwwrun   nogroup     16798 Jan 28 07:51 webphp

best regards,
allen


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here