hacked?

Harold Hallikainen harold at hallikainen.com
Sat Apr 7 17:19:46 UTC 2007 

It looks like my system has been hacked! It looks like someone in Russia
uploaded a php script, then wandered around my system, then deleted the
script. Im running phpwiki, which allows for uploads. Apparently, it
allows for php scripts to be uploaded. I kinda thought php didn't allow
access outside the public_html director, but it looks like they've
wandered through the system. Here are a few lines from the log...

89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
/BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602

89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
/BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099

89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
/BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604

89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
/BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604

89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200 209

89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200 119

89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200 119

89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199

89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
/BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400

89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200 200

89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
HTTP/1.1" 200 2867

91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
HTTP/1.1"

91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975

91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767


Looking through the logs, it appears that only stuff in the public_html
directory was accessed. I'm still looking, though.

I'm guessing I should really do a fresh install of the OS and everything.
I'll look at security fixes for phpwiki, or maybe get rid of it.

Any other ideas on securing the system?

THANKS!

Harold


-- 
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!

More information about the Redhat-install-list mailing list