Apache version- site got hacked

7-7-02, 03:27 PM

Which version of apache and FreeBSD are you running on your servers? If you go to www.openplanesims.com, you'll see why I ask this question

From netcraft:

"A worm exploiting the flaw in Apache running on FreeBSD operating systems is already crawling the Internet, but its spread so far appears to be limited. However, more effective variants of the worm that also attack Apache on other operating systems could soon appear, experts have warned.

The "increased focus on chunked encoding vulnerabilities in general" and the discovery of "hostile code attempting to exploit similar vulnerabilities on other platforms" are the reasons for Microsoft to upgrade its severity rating, the company said in its bulletin. Microsoft urges customers to disable HTR scripting or apply a software patch.

Apache administrators are acting swiftly. Well over 6 million sites are already upgraded to Apache 1.3.26, a fixed version of the software released on June 20. Still, about 14 million potentially vulnerable Apache sites remain, according to Netcraft."

alphadesk · 7-7-02, 04:50 PM

Apache/1.3.26,,,no worms here.

7-7-02, 05:11 PM

My site is up and running great. No worms, or any other problems.

Mirzabah · 7-7-02, 07:10 PM

Quote:

Originally posted by OPsims
Apache administrators are acting swiftly. Well over 6 million sites are already upgraded to Apache 1.3.26, a fixed version of the software released on June 20. Still, about 14 million potentially vulnerable Apache sites remain, according to Netcraft."

PowWeb upgraded as soon as the news broke.

firebolt · 7-7-02, 09:05 PM

We'll see. I don't believe it's true as my site has been hacked 2x in 3 days (w/a new domain password).

I posted earlier to report it's infection of my site: firebolt.com on jupiter.powweb.com

firebolt · 7-7-02, 09:13 PM

Also, the site text is:

Cyb3r Attack ownz your FreeBSD! lol Chucrilhos :: bbtim :: BiG_R1d3r :: fr34k4z01d :: chucrilhos@hacker.am

and the 2nd time:

Cyb3r Attack OwNz aGaiN!!

More info found here on attacks against us:
http://defaced.alldas.org/?did=33612&xid=4

Powweb, what are you doing about this?

alphadesk · 7-7-02, 09:23 PM

If you want to see what version of Apache PowWeb is running.
http://ops.powweb.com/powweb-bin/perldiver.cgi

I don't think this would show this if it were not true, but you do need to get with support and see if they can help you with this.

7-8-02, 12:44 PM

No one has hacked our servers. If anything, you mistakenly set the permissions on some of your files erroneously and the llamas that posted the above simply overwrote your files.

Always make sure your html files are set CHMOD 644 and your directories set CHMOD 755. Once use different permissions if there is a specific need (like setting a guestlog to CHMOD 777 so users can write to it, etc.).

7-10-02, 08:31 AM

Quote:

Originally posted by Starr
No one has hacked our servers. If anything, you mistakenly set the permissions on some of your files erroneously and the llamas that posted the above simply overwrote your files.

Always make sure your html files are set CHMOD 644 and your directories set CHMOD 755. Once use different permissions if there is a specific need (like setting a guestlog to CHMOD 777 so users can write to it, etc.).

I checked, all of the html files ARE set chmod 644, and the directories (specifically the htdocs directory) are set to 755.

Just like firebolt I changed my password and the site was hacked again.

Instead of fluffing this off, you guys need to look into this before you start losing customers. Funny how my site on myqth.com isn't getting hacked, yet you keep blaming this problem on the end users.

I, for one, don't appreciate this kind of response where tech support automatically assumes the fault lies with everyone else.

7-10-02, 10:10 AM

My experience with cheap hackers is that they penetrate into sites which uses PHP forums.
Beware with your admin default user and password and the file manager bundled in that tool.
Close your site back door by changing the admin.php permission to 600 when not in use or even remove it.
Your issue is no connected at all with any Apache flaws: if a hacker could invade an Apache server, all the sites hosted there will be destroyed, not only one or two.

Sergio

________________
http://svcglobal.com
http://svc.cc

7-10-02, 04:39 PM

Like I said, it's not a problem w/ our servers. In 100% of all cases where a customer has claimed his or her site was hacked, it was due to something the customer had done (or as in this case, used).

Sorry if I sounded like I was "fluffing" this off. I was only speaking the truth.

7-10-02, 06:35 PM

Not only that but the hole in apache you were referring to can't even do what was described. All it did was kill httpd processes not give people write access to your htdocs. If that's what happened to you either your account was compramised or something else user related has occured.

apache 1.3.26 (as of 3 hours after the hole was reported on cert a few weeks ago)
FreeBSD 4.6-STABLE

7-10-02, 06:48 PM

IMMO, both PowWeb admins are absolutely correct.
Both hacked sites related here at this thread run PHP forums and the back door is there. Check it out.

Sergio

________________
http://svcglobal.com
http://svc.cc

firebolt · 7-10-02, 07:32 PM

You all are absolutely correct. The common theme here is that there was a vulnerability in phpBB RC-3 which we both are (aka were!) using that allowed a script kiddie to do fun stuff like overwriting our homepage.

It's described here:
http://www.phpbb.com/phpBB/viewtopic...=vulnerability

Anyone reporting such an attack should upgrade immediately to the final version of phpBB 2.0.1.

Powweb, it was not your fault, so I want to say thanks anyway for providing this forum so I could get some leads on what to investigate that led to me resolving this problem personally.

7-7-02, 03:27 PM	#1
OPsims Guest Posts: n/a	Apache version- site got hacked Which version of apache and FreeBSD are you running on your servers? If you go to www.openplanesims.com, you'll see why I ask this question From netcraft: "A worm exploiting the flaw in Apache running on FreeBSD operating systems is already crawling the Internet, but its spread so far appears to be limited. However, more effective variants of the worm that also attack Apache on other operating systems could soon appear, experts have warned. The "increased focus on chunked encoding vulnerabilities in general" and the discovery of "hostile code attempting to exploit similar vulnerabilities on other platforms" are the reasons for Microsoft to upgrade its severity rating, the company said in its bulletin. Microsoft urges customers to disable HTR scripting or apply a software patch. Apache administrators are acting swiftly. Well over 6 million sites are already upgraded to Apache 1.3.26, a fixed version of the software released on June 20. Still, about 14 million potentially vulnerable Apache sites remain, according to Netcraft." Last edited by OPsims; 7-7-02 at 03:30 PM..

7-7-02, 04:50 PM	#2
alphadesk Join Date: Dec 2001 Location: Gulfcoast, TX Posts: 6,911 Reputation: 102	Apache/1.3.26,,,no worms here. __________________ Thanks, AlphaDesk Those who can read and don't are no better off than those who can't. - Sam Clemens

7-7-02, 09:23 PM	#7
alphadesk Join Date: Dec 2001 Location: Gulfcoast, TX Posts: 6,911 Reputation: 102	If you want to see what version of Apache PowWeb is running. http://ops.powweb.com/powweb-bin/perldiver.cgi I don't think this would show this if it were not true, but you do need to get with support and see if they can help you with this. __________________ Thanks, AlphaDesk Those who can read and don't are no better off than those who can't. - Sam Clemens

7-10-02, 10:10 AM	#10
svc Guest Posts: n/a	My 2 cents My experience with cheap hackers is that they penetrate into sites which uses PHP forums. Beware with your admin default user and password and the file manager bundled in that tool. Close your site back door by changing the admin.php permission to 600 when not in use or even remove it. Your issue is no connected at all with any Apache flaws: if a hacker could invade an Apache server, all the sites hosted there will be destroyed, not only one or two. Sergio ________________ http://svcglobal.com http://svc.cc Last edited by svc; 7-10-02 at 10:14 AM..

7-7-02, 05:11 PM	#3
RadioRob Guest Posts: n/a	My site is up and running great. No worms, or any other problems.

7-7-02, 09:05 PM	#5
firebolt Join Date: Nov 2001 Posts: 43 Reputation: 5	We'll see. I don't believe it's true as my site has been hacked 2x in 3 days (w/a new domain password). I posted earlier to report it's infection of my site: firebolt.com on jupiter.powweb.com

7-7-02, 09:13 PM	#6
firebolt Join Date: Nov 2001 Posts: 43 Reputation: 5	Also, the site text is: Cyb3r Attack ownz your FreeBSD! lol Chucrilhos :: bbtim :: BiG_R1d3r :: fr34k4z01d :: chucrilhos@hacker.am and the 2nd time: Cyb3r Attack OwNz aGaiN!! More info found here on attacks against us: http://defaced.alldas.org/?did=33612&xid=4 Powweb, what are you doing about this?

7-8-02, 12:44 PM	#8
Starr Guest Posts: n/a	No one has hacked our servers. If anything, you mistakenly set the permissions on some of your files erroneously and the llamas that posted the above simply overwrote your files. Always make sure your html files are set CHMOD 644 and your directories set CHMOD 755. Once use different permissions if there is a specific need (like setting a guestlog to CHMOD 777 so users can write to it, etc.).

7-10-02, 04:39 PM	#11
Starr Guest Posts: n/a	Like I said, it's not a problem w/ our servers. In 100% of all cases where a customer has claimed his or her site was hacked, it was due to something the customer had done (or as in this case, used). Sorry if I sounded like I was "fluffing" this off. I was only speaking the truth.

7-10-02, 06:35 PM	#12
Sgeine Guest Posts: n/a	Not only that but the hole in apache you were referring to can't even do what was described. All it did was kill httpd processes not give people write access to your htdocs. If that's what happened to you either your account was compramised or something else user related has occured. apache 1.3.26 (as of 3 hours after the hole was reported on cert a few weeks ago) FreeBSD 4.6-STABLE

7-10-02, 06:48 PM	#13
svc Guest Posts: n/a	IMMO, both PowWeb admins are absolutely correct. Both hacked sites related here at this thread run PHP forums and the back door is there. Check it out. Sergio ________________ http://svcglobal.com http://svc.cc

7-10-02, 07:32 PM	#14
firebolt Join Date: Nov 2001 Posts: 43 Reputation: 5	You all are absolutely correct. The common theme here is that there was a vulnerability in phpBB RC-3 which we both are (aka were!) using that allowed a script kiddie to do fun stuff like overwriting our homepage. It's described here: http://www.phpbb.com/phpBB/viewtopic...=vulnerability Anyone reporting such an attack should upgrade immediately to the final version of phpBB 2.0.1. Powweb, it was not your fault, so I want to say thanks anyway for providing this forum so I could get some leads on what to investigate that led to me resolving this problem personally.