Hello all, Ok, I admit that hackers do love our web sites and the box they are hosted in ... no it isn't so weakly secured as it may shows, we just have troubles with hackers having some astonishing know-how :( Now the case, this is an unmanaged SuSE 9.3 server ... with SUSE firewall enabled ... SSH moved to a different port than the expected one, webmin used also over HTTPS and at a non standard port ... Permited connections are only the usual for a web server ... HTTP, HTTPS, FTP, SMTP, DNS, POP3 and the above 2 "secret" ports ... all other access is blocked All patches were being applied BEFORE any service had started ... now the haxor. After a few hours of operation ... we have found the box overloaded ... anyway a restart of apache2 was more than enough to put things in place apart from the fact that no php ... only .php files sent as plain text ... Okay I have tried to reinstall the php4, without any success, still the php4 is broken, I have checked out the conf files ... do seem ok, I have tried various tricks but still php can't work ... while it seems loaded .... Our server works mostly on cgi, for it's dynamic content, so apart of the lost phpmyadmin ... no problem with the php anyway ... but it needs to be fixed. I had the same kind of attack on the same sites, a few months ago, (running on RH9.0 that time), and I had solved the problem by compiling my own edition of apache2, mod_perl, php4 from scratch ... it seems that I am going to do the same again, but I'm wondering how such a thing is possible, starting apache2 (worker mode), no conf syntax errors, no missing files (checked via rpm --verify on apache2 , apache2-mod_php4 , php4) ... it doesn't make any sense ... Anyway, that's all for now and let me know, if there's any tool to analyze the firewall logs generated by SuSE firewall (in any case something interesting would be in there) Best Regards Nick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Dos Wizard schrieb:
Hello all,
Ok, I admit that hackers do love our web sites and the box they are hosted in ... no it isn't so weakly secured as it may shows, we just have troubles with hackers having some astonishing know-how :(
Now the case, this is an unmanaged SuSE 9.3 server ... with SUSE firewall enabled ... SSH moved to a different port than the expected one, webmin used also over HTTPS and at a non standard port ...
Permited connections are only the usual for a web server ... HTTP, HTTPS, FTP, SMTP, DNS, POP3 and the above 2 "secret" ports ... all other access is blocked
All patches were being applied BEFORE any service had started ... now the haxor.
After a few hours of operation ... we have found the box overloaded ... anyway a restart of apache2 was more than enough to put things in place apart from the fact that no php ... only .php files sent as plain text ...
Okay I have tried to reinstall the php4, without any success, still the php4 is broken, I have checked out the conf files ... do seem ok, I have tried various tricks but still php can't work ... while it seems loaded ....
Our server works mostly on cgi, for it's dynamic content, so apart of the lost phpmyadmin ... no problem with the php anyway ... but it needs to be fixed. I had the same kind of attack on the same sites, a few months ago, (running on RH9.0 that time), and I had solved the problem by compiling my own edition of apache2, mod_perl, php4 from scratch ... it seems that I am going to do the same again, but I'm wondering how such a thing is possible, starting apache2 (worker mode), no conf syntax errors, no missing files (checked via rpm --verify on apache2 , apache2-mod_php4 , php4) ... it doesn't make any sense ...
Anyway, that's all for now and let me know, if there's any tool to analyze the firewall logs generated by SuSE firewall (in any case something interesting would be in there)
Best Regards Nick
First do run on a shell as root: rcapache2 configtest Then look if something is missing. In some cases apache had missing php values in /etc/sysconfig/apache2. Look in the modules list, if there is php missing. Second thing with overload was, that there was a weird problem overloading apache2 with download managers and starting multiple instances with them (this occured only with big files). There was a patch for that on SuSE, wasn't it? Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQxwW6ENg1DRVIGjBAQLjigcAu8aoO5yel++MU7aJD8U52RSik/PR86HB MDgkTktU0yaRkpdIcvfXnV3KdnoXsi9Ny8axjjpH0SvlBoWgIy9ZghvflRgajryC qsHfiXM7hu5gYeklMeKgeQx9jGJGJc45HLlh6YP12dVBy4rA5bbNapdMLy+jPejt sxgwFlVW20gFC6PQHuHAnbpfyz8AlnY29HVks6+XYNEMojmZZMkTXO6ZUrn4O2rM fdmT7C+CdLevxCxBlHKfgcKf1FOZmDYtDOtjEbq1yOyvWVf8nwYX/Ztxc14+dxjk CvIxAMLqFhE= =gEb6 -----END PGP SIGNATURE-----
participants (2)
-
Dos Wizard
-
Philippe Vogel