hacked?

Mon Apr 9 02:04:09 UTC 2007

Are you running SELinux?  I know that you can use that to harden the machine
to the point of not allowing someone to even ls and see any files, or not cd
to directories you don't want, etc.  If your version of RH is fairly recent,
you probably have that option already, if not you can likely install it
anyway.

Marc

On 4/7/07, Harold Hallikainen <harold at hallikainen.com> wrote:
>
> It looks like my system has been hacked! It looks like someone in Russia
> uploaded a php script, then wandered around my system, then deleted the
> script. Im running phpwiki, which allows for uploads. Apparently, it
> allows for php scripts to be uploaded. I kinda thought php didn't allow
> access outside the public_html director, but it looks like they've
> wandered through the system. Here are a few lines from the log...
>
> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
>
> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
>
> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>
> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>
> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200 209
>
> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200 119
>
> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200 119
>
> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
>
> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
>
> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200 200
>
> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
> HTTP/1.1" 200 2867
>
> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
>
> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
> HTTP/1.1"
>
> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
>
> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
>
>
> Looking through the logs, it appears that only stuff in the public_html
> directory was accessed. I'm still looking, though.
>
> I'm guessing I should really do a fresh install of the OS and everything.
> I'll look at security fixes for phpwiki, or maybe get rid of it.
>
> Any other ideas on securing the system?
>
> THANKS!
>
> Harold
>
>
> --
> FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
> opportunities available!
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-install-list/attachments/20070408/ce5d4dce/attachment.htm>