Comments are available to members only. Sign up or Log in to view these comments.
Main Topics
Browse All TopicsDear Experts,
My linux server is hacked by a hacker.
He replaced all my client's index pages, including sub-folders.
(It seems he can use my server to scan other's ports too, and it generated abnormal traffic, and make
my rack down.)
I am using RedHat 9.0 /Fedora Core2, apache 1.3.33, php-4.3.9
I haven't added any firewall rules, and my installation is default installation.
Do any one know how he hacked me?
it seems he hacked me using www user, i checked the error_log:
--------------------------
--06:32:34-- http://uhuuhuhu.100free.co
=> `sess_ffafce69943afd6b8d88
Resolving uhuuhuhu.100free.com... 64.156.241.133
Connecting to uhuuhuhu.100free.com[64.15
HTTP request sent, awaiting response... 200 OK
Length: 19,261 [application/zip]
0K .......... ........ 100% 33.41 KB/s
06:32:37 (33.41 KB/s) - `sess_ffafce69943afd6b8d88
[Tue Dec 14 08:57:37 2004] [notice] SIGHUP received. Attempting to restart
PHP Warning: Unknown(): Unable to load dynamic library './php_gd.dll' - ./php_gd.dll: cannot open shared object file: No such file or directory in Unknown on line 0
[Tue Dec 14 08:57:38 2004] [notice] Apache/1.3.33 (Unix) PHP/4.3.9 configured -- resuming normal operations
[Tue Dec 14 08:57:38 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suex
[Tue Dec 14 08:57:38 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Tue Dec 14 08:59:46 2004] [notice] caught SIGTERM, shutting down
chetcpasswd.cgi: Operation not permitted
chetcpasswd.cgi: Operation not permitted
--19:30:56-- http://massxpl.gratishost.
=> `r0nin'
Resolving massxpl.gratishost.com... done.
Connecting to massxpl.gratishost.com[66.
HTTP request sent, awaiting response... 200 OK
Length: 19,242 [text/plain]
0K .......... ........ 100% 25.88 KB/s
19:30:58 (25.88 KB/s) - `r0nin' saved [19242/19242]
--19:30:58-- http://massxpl.gratishost.
=> `r0nin.1'
Resolving massxpl.gratishost.com... done.
Connecting to massxpl.gratishost.com[66.
HTTP request sent, awaiting response... 200 OK
Length: 19,242 [text/plain]
0K .......... ........ 100% 40.32 KB/s
19:30:59 (40.32 KB/s) - `r0nin.1' saved [19242/19242]
bind: Address already in use
--------------------------
Do you know how can I prevent him from hacking again?
Thank you.
Stanley
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Business Accounts
Answer for Membership
by: wesly_chenPosted on 2004-12-15 at 10:36:22ID: 12833097
Comments are available to members only. Sign up or Log in to view these comments.