hacked?
Harold Hallikainen
harold at hallikainen.com
Sat Apr 7 17:19:46 UTC 2007
It looks like my system has been hacked! It looks like someone in Russia
uploaded a php script, then wandered around my system, then deleted the
script. Im running phpwiki, which allows for uploads. Apparently, it
allows for php scripts to be uploaded. I kinda thought php didn't allow
access outside the public_html director, but it looks like they've
wandered through the system. Here are a few lines from the log...
89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
/BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
/BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
/BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
/BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200 209
89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200 119
89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200 119
89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
/BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200 200
89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
HTTP/1.1" 200 2867
91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
HTTP/1.1"
91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
/BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
Looking through the logs, it appears that only stuff in the public_html
directory was accessed. I'm still looking, though.
I'm guessing I should really do a fresh install of the OS and everything.
I'll look at security fixes for phpwiki, or maybe get rid of it.
Any other ideas on securing the system?
THANKS!
Harold
--
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!
More information about the Redhat-install-list
mailing list