November 19, 2008 02:54am pst

1. shakoush... 43,187
2. Redimido 33,424
3. ravenpl 26,314
4. omarfarid 20,309
5. noci 20,234
6. Blaz 16,332
7. Nopius 14,750
8. ahoffmann 14,580
9. Mysidia 12,875
10. gheist 9,614
11. agriesser 8,850
12. DaveHowe 8,364
13. arrkerr1... 7,000
14. unSpawn 6,700
15. Tintin 6,315
16. MushyPea 5,460
17. chingmd 5,039
18. alextoft 5,000
19. WizRd-Li... 4,980
20. arnold 4,552
21. caterham... 4,500
22. edster9... 4,000
23. fridom 3,873
24. droyden 3,750
25. fosiul01 3,575

1. ahoffmann 188,276
2. ravenpl 109,652
3. jlevie 95,810
4. kblack05 65,801
5. Redimido 61,040
6. noci 47,238
7. shakoush... 45,687
8. Blaz 42,005
9. xDamox 32,605
10. omarfarid 32,479
11. Nopius 31,650
12. wesly_c... 31,085
13. decoleur 28,923
14. XoF 28,530
15. Tintin 25,155
16. slyong 21,932
17. pjedmond 21,733
18. Mysidia 20,470
19. chris_cal... 19,816
20. ppfoong 15,532
21. grblades 15,472
22. KeremE 12,500
23. rindi 11,948
24. mbarbos 11,763
25. dpiniella 11,462

12.15.2004 at 08:48AM PST, ID: 21243561

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.2

linux server hacked!!!

Asked by stanleyhuen in Linux Network Security

Tags: r0nin

Dear Experts,

My linux server is hacked by a hacker.
He replaced all my client's index pages, including sub-folders.
(It seems he can use my server to scan other's ports too, and it generated abnormal traffic, and make
my rack down.)

I am using RedHat 9.0 /Fedora Core2, apache 1.3.33, php-4.3.9
I haven't added any firewall rules, and my installation is default installation.

Do any one know how he hacked me?
it seems he hacked me using www user, i checked the error_log:

----------------------------------------------------------------------------------

--06:32:34-- http://uhuuhuhu.100free.com/sess_ffafce69943afd6b8d88aa4dbba790d3.zip
=> `sess_ffafce69943afd6b8d88aa4dbba790d3.zip'
Resolving uhuuhuhu.100free.com... 64.156.241.133
Connecting to uhuuhuhu.100free.com[64.156.241.133]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,261 [application/zip]

0K .......... ........ 100% 33.41 KB/s

06:32:37 (33.41 KB/s) - `sess_ffafce69943afd6b8d88aa4dbba790d3.zip' saved [19261/19261]

[Tue Dec 14 08:57:37 2004] [notice] SIGHUP received. Attempting to restart
PHP Warning: Unknown(): Unable to load dynamic library './php_gd.dll' - ./php_gd.dll: cannot open shared object file: No such file or directory in Unknown on line 0
[Tue Dec 14 08:57:38 2004] [notice] Apache/1.3.33 (Unix) PHP/4.3.9 configured -- resuming normal operations
[Tue Dec 14 08:57:38 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Tue Dec 14 08:57:38 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Tue Dec 14 08:59:46 2004] [notice] caught SIGTERM, shutting down

chetcpasswd.cgi: Operation not permitted
chetcpasswd.cgi: Operation not permitted
--19:30:56-- http://massxpl.gratishost.com/r0nin
=> `r0nin'
Resolving massxpl.gratishost.com... done.
Connecting to massxpl.gratishost.com[66.115.176.86]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,242 [text/plain]

0K .......... ........ 100% 25.88 KB/s

19:30:58 (25.88 KB/s) - `r0nin' saved [19242/19242]

--19:30:58-- http://massxpl.gratishost.com/r0nin
=> `r0nin.1'
Resolving massxpl.gratishost.com... done.
Connecting to massxpl.gratishost.com[66.115.176.86]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,242 [text/plain]

0K .......... ........ 100% 40.32 KB/s

19:30:59 (40.32 KB/s) - `r0nin.1' saved [19242/19242]

bind: Address already in use

----------------------------------------------------------------------------------

Do you know how can I prevent him from hacking again?

Thank you.

Stanley
Start Free Trial

Keywords: linux server hacked!!!

	Title
1	Attempting to install apache 2.0 and …
2	Problem with PHP/Apache accesing d…
3	steps for installing and configuring a a…
4	Apache/PHP configuration on RedHat 9
5	how to restart apache on Linux server?
6	very odd mysql / php behavior for no…

Loading Advertisement...

20080716-EE-VQP-32

linux server hacked!!!

Asked by stanleyhuen in Linux Network Security

Tags: r0nin

About this solution