Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Apache attacks

from [Dan Margolis] Network Security [Permanent Link]
Subject: Re: Apache attacks
Date: Fri, 28 Jan 2005 12:39:31 -0500 
On Wed, Jan 26, 2005 at 08:56:52PM +0000, Kenny wrote:

My server crashed yesturday and I had to restart it, to get it going 
again. Now everything seems ok, however looking at my 
/var/log/httpd/access_log.1 shows a visitor to the website posting some 
big chunks of exploit code (containing a massive nop sled).
How do I know if this attacker actually got in or not?


I'm assuming Apache segfaulted on you. But this doesn't tell you whether
the exploit was successful or not. You can try some standard auditing
procedures, e.g. scan for known rootkits, compare binary hashes to
known-good hashes, etc. You can also try the exploit yourself--with the
malicious code replaced with something less evil--and see if it actually
works. 

That's about all I can think of, though. 

It would also be good if you could give more details on the Apache
crash. Specifically, your version number, debugger output, and the
exploit. If this is an unknown exploit, it would be invaluable if you
could file a bug with the Apache project. You may want to keep this
confidential in that case, although since it's already in the wild, I
suppose that's probably less useful. 

-- 
Dan
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Apache attacks, KillKenny
Next by Date:  RE: RPC over HTTP security, Shawn Wall
Previous by Thread:  Re: Apache attacks, KillKenny
Next by Thread:  Re: Apache attacks, Ty Bodell
Indexes:  [Date] [Thread] [Top] [All Lists]