[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Hacker Goes On Defacement Spree In Australia
- Subject: [cobalt-security] Hacker Goes On Defacement Spree In Australia
- From: enrique <enriquevega@xxxxxxx>
- Date: Thu, 6 Sep 2001 23:00:48 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Just thought I would let you all know that I found the hacker/s that
defaced one of my virtual sites on a RaQ3. I still haven't figured out
all that could have been done, but I did find the hacker got through
using a cgi. I did a grep on the web.log file for "dwarf" and then found
that bbs_forum.cgi was being used to execute perl scripts. Here is a
partial line which contains a perl command:
bbs_forum.cgi?forum=open&read=|perl%20/tmp/shell2.p|
The following web.log line shows some info on the attacker:
62.236.118.98 - - [27/Jul/2001:20:33:09 -0400] "GET / HTTP/1.0" 200
16891 "http://defaced.alldas.de/defaced.php?attacker=dwarf&p=1"
"Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
I found that dwarf had somehow written into /tmp a sub directory
named ". " and hid all sorts of files. Now, I still don't know what to
do to prevent this from happening in the future. Maybe someone else has
experienced this sort of hack and can give some advice?
see the following url for a newsbyte on the subject:
http://www.newsbytes.com/news/01/167607.html
"... according to Alldas, all sites were hosted on the Microsoft Web
server platform. The Alldas archive is at http://defaced.alldas.de/ "
Note that even though my raq is not a microsoft web server, the raq was
still hacked. I tried going to this site, and it seems to no longer be
online. I think there were some peeved folks!
Thanks for any insights you may give!
enrique