Hi, folks. I am fairly sure I have been cracked. And yet, quite fortunately,
the damage appears to be minimal. I run Apache 1.3.x on a Red Hat server.
Some observations follow.
I assume the file was only injected to a subdirectory under ~/public_html. It
is a PHP index, which supercedes the HTML index in Apache (default
configurations). How it got there I haven't a clue. Don't know how long for
and whether a file exists elsewhere in the site as well. How can this be
avoided? Could it be associated with some locally-installed software? Other
people with the same host or on the same server? Do the details that follow
remind anyone of a common vulnerability?
A quick check reveals the following:
-rw-r--r-- 1 schestow schestow 450 Jun 6 2005 index.htm
-rw-r--r-- 1 nobody nobody 1.5K Aug 5 20:58 index.php
-rw-r--r-- 1 schestow schestow 32K Oct 1 20:13 resindex.htm
The injected file is the second one.
File contains:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
<html>
<head>
<title>HaCKeD By_cl24zY</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
background-color: #000000;
}
body,td,th {
font-family: Courier New, Courier, mono;
color: #FF0000;
font-weight: bold;
}
.style2 {color: #FFFFFF}
.style3 {font-size: 24px}
.style4 {font-size: 16px}
-->
</style>
</head>
<body>
[[Some Flash stuff omitted ]]]
<p class="style3">This Page Is Hacked.....!!!!</p>
<p class="style3">ILLEGAL-ATTACK//TiM</p>
<p class="style4">HaCKeD By_cl24zY </p>
<p class="style2"> <span class="style2">~|</span> cl24zY <span
class="style2">|~</span></p>
<p class="style2"> ~| _Ctx_ |~| RocK.HiP |~| El-Nino |~| lsr_cjl |~ ~|
Psikoariza |~</p>
<p class="style2">"admin@xxxxxxxxxxxx"</p>
</body>
</html>
|
|
