Hall of Fame

1. fosiul0132,475
2. Blaz32,066
3. KeremE27,463
4. noci20,606
5. omarfarid15,452
6. DaveHowe13,650
7. Tintin10,750
8. woolmilkp...10,725
9. uetian170710,415
10. oklit10,100
11. ahoffmann9,500
12. small_stu...9,394
13. giltjr8,500
14. fmarzocca8,000
15. it4soho6,775
16. rsivanandan6,500
16. rcflyr6,500
16. MiLLeNNiuM6,500
19. ai_ja_nai6,300
20. WizRd-Li...6,275
21. gheist5,825
22. jools5,800
23. _jesper_5,600
24. mwecom...5,575
25. Redimido5,500

1. ahoffmann200,276
2. ravenpl110,775
3. jlevie95,810
4. Blaz74,071
5. Redimido71,848
6. noci67,844
7. kblack0565,801
8. omarfarid48,131
9. fosiul0147,936
10. shakoush...47,887
11. KeremE39,963
12. Nopius36,400
13. Tintin35,905
14. xDamox32,605
15. wesly_c...31,085
16. decoleur29,587
17. XoF28,530
18. Mysidia25,470
19. DaveHowe25,014
20. slyong21,932
21. pjedmond21,733
22. giltjr19,930
23. chris_cal...19,816
24. uetian170717,515
25. rindi16,950

	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.2

linux server hacked!!!

Asked by stanleyhuen in Linux Network Security

Tags: r0nin

Dear Experts,

My linux server is hacked by a hacker.
He replaced all my client's index pages, including sub-folders.
(It seems he can use my server to scan other's ports too, and it generated abnormal traffic, and make
my rack down.)

I am using RedHat 9.0 /Fedora Core2, apache 1.3.33, php-4.3.9
I haven't added any firewall rules, and my installation is default installation.

Do any one know how he hacked me?
it seems he hacked me using www user, i checked the error_log:

----------------------------------------------------------------------------------

--06:32:34-- http://uhuuhuhu.100free.com/sess_ffafce69943afd6b8d88aa4dbba790d3.zip
=> `sess_ffafce69943afd6b8d88aa4dbba790d3.zip'
Resolving uhuuhuhu.100free.com... 64.156.241.133
Connecting to uhuuhuhu.100free.com[64.156.241.133]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,261 [application/zip]

0K .......... ........ 100% 33.41 KB/s

06:32:37 (33.41 KB/s) - `sess_ffafce69943afd6b8d88aa4dbba790d3.zip' saved [19261/19261]

[Tue Dec 14 08:57:37 2004] [notice] SIGHUP received. Attempting to restart
PHP Warning: Unknown(): Unable to load dynamic library './php_gd.dll' - ./php_gd.dll: cannot open shared object file: No such file or directory in Unknown on line 0
[Tue Dec 14 08:57:38 2004] [notice] Apache/1.3.33 (Unix) PHP/4.3.9 configured -- resuming normal operations
[Tue Dec 14 08:57:38 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Tue Dec 14 08:57:38 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Tue Dec 14 08:59:46 2004] [notice] caught SIGTERM, shutting down

chetcpasswd.cgi: Operation not permitted
chetcpasswd.cgi: Operation not permitted
--19:30:56-- http://massxpl.gratishost.com/r0nin
=> `r0nin'
Resolving massxpl.gratishost.com... done.
Connecting to massxpl.gratishost.com[66.115.176.86]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,242 [text/plain]

0K .......... ........ 100% 25.88 KB/s

19:30:58 (25.88 KB/s) - `r0nin' saved [19242/19242]

--19:30:58-- http://massxpl.gratishost.com/r0nin
=> `r0nin.1'
Resolving massxpl.gratishost.com... done.
Connecting to massxpl.gratishost.com[66.115.176.86]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,242 [text/plain]

0K .......... ........ 100% 40.32 KB/s

19:30:59 (40.32 KB/s) - `r0nin.1' saved [19242/19242]

bind: Address already in use

----------------------------------------------------------------------------------

Do you know how can I prevent him from hacking again?

Thank you.

Stanley

Get your answer NOW

	Title
1	Critical Issue! PHP/MYSQL broken af…
2	A program to fix Exploit infected index …
3	major problem with ebay fraud!

linux server hacked!!!

Asked by stanleyhuen in Linux Network Security

Tags: r0nin

About this solution