Welcome to Geeklog, Anonymous Monday, December 23 2024 @ 05:29 am EST

Geeklog Forums

help, am I being hacked?


Status: offline

tstockma

Forum User
Full Member
Registered: 07/22/03
Posts: 169
Strange things--around 4 this morning mountain time zone, my GL site stopped working, Apache itself may have bounced--I'm not sure.

I have a "virtual server" with several domains on it, the .php files on the GL site no longer execute, directly calling them in the browser simply display the contents of the php files.

I'm looking thru various log files on my server, /var/log/messages has something that disturbs me, but I don't understand it at all.

213: Jan 26 07:35:11 sunrise-web-hosting vssu: nobody to (user-account-name)
214: Jan 26 07:35:11 sunrise-web-hosting vssu: nobody to (user-account-name)
215: Jan 26 07:40:56 sunrise-web-hosting vssu: nobody to (user-account-name)
216: Jan 26 07:40:56 sunrise-web-hosting vssu: nobody to (user-account-name)
217: Jan 26 07:41:04 sunrise-web-hosting vssu: nobody to (user-account-name)
218: Jan 26 07:41:14 sunrise-web-hosting vssu: nobody to root
219: Jan 26 07:41:04 sunrise-web-hosting vssu: nobody to (user-account-name)
220: Jan 26 07:41:14 sunrise-web-hosting vssu: nobody to root


(user-accountj-name) is the fairly powerful account I've installed everything as, this looks like apache (running as the nobody account) is perhaps trying to switch user (su) to root and to that account? I don't know how to read this log, could someone please tell me what this is saying?

I'm on GL 1.3.8-1sr6, my config.php file is not under htdocs, so the web server shouldn't be able to see it...thanks for any advice!

Also, what will make Apache stop running php files on a server? Other domains on this virtual server still run fine.
Tom
www.southparkcity.com
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by tstockma: 218: Jan 26 07:41:14 sunrise-web-hosting vssu: nobody to root

This doesn't look good. "nobody" is usually the user the web server is running as and when someone switches from there to root, it's very suspicious ...

My guess would be that one of the sites on the vserver has been hijacked. That doesn't necessarily mean the Geeklog site - it could have hit any other one. The "santy" and "spyki" worms come to mind ...

As for the server not interpreting PHP any more: The attacker probably changed the httpd.conf and disabled PHP there (maybe only for some vhosts).

You'd better get someone experienced to have a good look at that server and/or reinstall it.

bye, Dirk
 Quote

Status: offline

tstockma

Forum User
Full Member
Registered: 07/22/03
Posts: 169

Thanks, Dirk, calls to my ISP have me feeling a bit less nervous...

The ISP upgraded PHP on many, many servers last night, and today are flooded with web sites that don't work. Their reps are very certain this entire problem is due to that, and they did look at the httpd.conf file, though I don't know for sure they were looking for php being disabled there...hopefully they would, but I dunno for sure.

The rest of the sites on this virtual server are strictly HTTP, except one other where I embed some PHP scripts in HTML, but there's not much hackable here. This GL site going public is the only significant recent change...I'm not assuming anything...in face I'm not at all sure someone's hacked the server...

Dirk--or anyone--what the heck do those entries in my /var/log/messages file mean? I'm only speculating they mean someone is in as "nobody" trying to su to my real account, and to root. I'd love to know more.

Thanks for checking in, Dirk! --Tom
Tom
www.southparkcity.com
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by tstockma: Dirk--or anyone--what the heck do those entries in my /var/log/messages file mean? I'm only speculating they mean someone is in as "nobody" trying to su to my real account, and to root.

That would be my interpretation as well. And that's why I suspected that you've been hacked.

Of course, the person running the server, i.e. your hosting service, can do that, as well - legitimately ...

bye, Dirk
 Quote

Status: offline

tstockma

Forum User
Full Member
Registered: 07/22/03
Posts: 169
Argh! OK, I just put my earpiece back in and hit redial, this time I'll insist they look at that specific log file & tell me what those entries are...during previous calls, they poo-poo'd that log because they focused on the PHP problems they knew about, so I'll check in.

--- later ---

Wow, this is actually very cool!

I called & said I didn't want to talk about the PHP problem, instead I wanted to talk about the log file...this particular rep focused on the PHP problem again, spent a lot of time but ID'd the problem for me which I can now fix.

I then said, OK, let me redirect this call back to log file messages, which he did.

Turns out these messages are the sendmail server rejecting SPAM! The "nobody" does not refer to the user account for Apache, it's the address @my-domain-name the mail got forwarded to.

I didn't know sendmail did that! Now I'm off to try the fix to my PHP problem this chap suggested.

Thanks, Dirk, & this was an interesting though somewhat stressful one.

Tom
Tom
www.southparkcity.com
 Quote

All times are EST. The time is now 05:29 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content