[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: hacked?
- From: "Marc " <linuxr gmail com>
- To: "Getting started with Red Hat Linux" <redhat-install-list redhat com>
- Subject: Re: hacked?
- Date: Sun, 8 Apr 2007 22:04:09 -0400
Are you running SELinux? I know that you can use that to harden the machine to the point of not allowing someone to even ls and see any files, or not cd to directories you don't want, etc. If your version of RH is fairly recent, you probably have that option already, if not you can likely install it anyway.
Marc
On 4/7/07, Harold Hallikainen <harold hallikainen com> wrote:
It looks like my system has been hacked! It looks like someone in Russia
uploaded a php script, then wandered around my system, then deleted the
script. Im running phpwiki, which allows for uploads. Apparently, it
allows for php scripts to be uploaded. I kinda thought php didn't allow
access outside the public_html director, but it looks like they've
wandered through the system. Here are a few lines from the log...
89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
/BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
/BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
/BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
/BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200 209
89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200 119
89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200 119
89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
/BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200 200
89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
HTTP/1.1" 200 2867
91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
HTTP/1.1"
91.122.3.139
- - [07/Apr/2007:01:36:27 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
Looking through the logs, it appears that only stuff in the public_html
directory was accessed. I'm still looking, though.
I'm guessing I should really do a fresh install of the OS and everything.
I'll look at security fixes for phpwiki, or maybe get rid of it.
Any other ideas on securing the system?
THANKS!
Harold
--
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list redhat com
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request redhat com
Subject: unsubscribe
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]