Apache on RH9 Crashed (Hacked?)
Greg Bonnette
gbonnett at coe.neu.edu
Tue Aug 19 23:10:25 EDT 2003
Upon further inspection I found that my system had been hacked. I found
multiple directories
/tmp/'usernameonmysystem'-orbit (multiple occurances, one for each
username)
/tmp/ssh1kzaah
/tmp/ssh2...
I think I know what orbit is, and I never installed it, but running a
netstat showed multiple connections to files in these directories. Can
anyone ID this root kit so I can begin pinpointing my security hole?
Google has turned up something called MAC_Daddy, but documentation is
limited. Anyone had experience with this?
-Greg
-----Original Message-----
From: gnhlug-discuss-admin at mail.gnhlug.org
[mailto:gnhlug-discuss-admin at mail.gnhlug.org] On Behalf Of Gregory P.
Bonnette
Sent: Tuesday, August 19, 2003 12:37 PM
To: gnhlug-discuss at mail.gnhlug.org
Subject: Apache on RH9 Crashed (Hacked?)
Ok I finally got access to my machine to assess the damage, I am running
RH9,
Kernel 2.4.20-19.9 and Apache 2.0.40-21.3.
Here is the error message I recieved when trying to restard httpd:
Stopping httpd: [ OK ]
Starting httpd: [Tue Aug 19 17:27:50 2003] [error] VirtualHost
_default_:443 --
mixing * ports and non-* ports with a NameVirtualHost address is not
supported,
proceeding with undefined results
[ OK ]
Im no to great at interpreting this stuff, but I made no changes to my
system to
cause this error. I had been running stable for roughly 2 weeks with no
problems
and then Apache started delivery 400's instead of serving up pages. Now
I find
this... Any ideas?
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss at mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
More information about the gnhlug-discuss
mailing list