[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Help with possible hacking of a VirtualHost

From: Bill Tangren <bjt aa usno navy mil>
To: redhat-list redhat com
Subject: Re: Help with possible hacking of a VirtualHost
Date: Tue Jul 1 13:34:46 2003

MKlinke wrote:

On Tuesday 01 July 2003 15:45, Bill Tangren wrote:

I have a perplexing problem. I received an email this morning from
some one who states that he was surfing my web site site1.com, when
he received a portscan attack from site2.com. However, site2.com is a
VirtualHost that is aliased to site1.com. This person told us because
he said we might have been hacked. I immediately changed the root
password.

Could someone tell me how this could have happened? If you do a
lookup on site2.com, and then do a reverse lookup on that IP number,
you see site1.com, not site2.com.

If I have been hacked, what should I look at? I don't see any obvious
evidence in the logs, but I'm not sure I would.

TIA,

Bill Tangren

Did this person send along any logs showing the scan packets or offer any kind of detail as to what he meant by "portscan?"

Regards, Mike Klinke

I requested logs from his firewall, but have not heard back. This is wierd as the machine in question is a server only, and I don't have telnet (server or client) on it. The few who have accounts have to use ssh (protocol 2 only) to get access. Also, all packages are up to date, and I am behind a firewall (which I don't maintain). Wierd.

Bill

Follow-Ups:
- Re: Help with possible hacking of a VirtualHost
  - From: MKlinke
- Re: Help with possible hacking of a VirtualHost
  - From: Joe Polk
- Re: Help with possible hacking of a VirtualHost
  - From: David Richards

References:
- Help with possible hacking of a VirtualHost
  - From: Bill Tangren
- Re: Help with possible hacking of a VirtualHost
  - From: MKlinke

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]