apache web server compromised and backdoor
From: Giovanni (gcasanoNOSPAM_at_freemail.it)
Date: 12/19/03
- Previous message: /dev/rob0: "Re: Port 135 Probes Continue"
- Next in thread: Alessandro Selli: "Re: apache web server compromised and backdoor"
- Reply: Alessandro Selli: "Re: apache web server compromised and backdoor"
- Reply: all mail refused: "Re: apache web server compromised and backdoor"
- Reply: Marc Balmer: "Re: apache web server compromised and backdoor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Dec 2003 10:14:31 GMT
hi all,
one of my web servers was compromised by hacker intrusion.
today, while upgrading the apache from 1.3.27 to 1.3.29, a strange thing
happened:
- I stopped the old apache server;
- I tried to start the new apache but I have got the following:
"unable to bind (...) port already in use"
so after I realize port 80 was really in use, I tried "ps -ef" and discovered
a process called "./f".
I tried to telnet to my server's port 80 and I've got a prompt waiting for
something, susch as a password.
I have killed that process and, finally, I was able to start the apache.
My question his: how do i find the file on the hd which spawned that
backdoor?
I am trying "find -ctime 2 (...)" but I am not confident it will work.
did you know which exploit/backdoor/whatever was used to break into my
server?
thanks in advance,
-- giovanni casano
- Previous message: /dev/rob0: "Re: Port 135 Probes Continue"
- Next in thread: Alessandro Selli: "Re: apache web server compromised and backdoor"
- Reply: Alessandro Selli: "Re: apache web server compromised and backdoor"
- Reply: all mail refused: "Re: apache web server compromised and backdoor"
- Reply: Marc Balmer: "Re: apache web server compromised and backdoor"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
