Re: Apache Security Problem - need help

["ml3 () portsonline net" <ml3 () portsonline net>]

Fabio Saber wrote:

> Ich gehe davon aus, dass irgendwie Session Daten manipuliert worden sind 
> und dadurch Dateien downgeloadet wurden.
>
> Ein Auszug aus der Apache error.log zeigt folgendes:

Schalt deinen Server ab. Sofort.

> I've some troubles with Apache (1.3.33) on a Debian system. I suppose 
> that someone manipulated active sessions (PHP) and got access to my system.
> A short extract from my apache error.log

Disconnect your machine from the internet. Immediately.

> -------------------
> error: 'kern.ostype' is an unknown key
> error: 'kern.osrelease' is an unknown key
> sh: line 1: cd: .sess_f345236263adsdadas2737237723: No such file or 
> directory
> --19:32:36--  http://mrx88.altervista.org/iroffer.tar

iroffer is a software program that acts as a fileserver for IRC.  It
is similar to a FTP server or WEB server, but users can download
files using the DCC protocol of IRC instead of a web browser.

> I can't understand why these lines are in the error.log?
> Also some other files have been loaded: 
> http://mrx88.altervista.org/xhide.c   and 

Process Faker

> http://ninobuccheri86.altervista.org/zxcv.

Iroffer Configuration file

> The downloaded program has also been compiled and started.

Congratulations *cough*. You're the 'owner' of a nice warez-server now.

ports

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/