Results 1 to 8 of 8
-
02-07-2008, 08:30 PM #1Newbie
- Join Date
- Apr 2005
- Posts
- 11
help , httpd.config changed 3 times but
hello
httpd.config changed since my server was hacked but they can not control it , they just delete db from mysq and they can not bypass direcoty
i upgrade to 2.2.8 apache
i make full security
but still i get strange problem that i found the httpd.config
changed to make the .ht work by override option
i make this:
<Directory "/">
Options all
AllowOverride none
</Directory>
but after day i get it changed to be:
<Directory "/">
Options all
AllowOverride all
</Directory>
i installed mod_security
and after a day i get the httpd.config was changed to make mod_secrity not work and also to make :allowoverride all!!
i think there is way for attacker to alter httpd.config
i made a lot of security :
1.disable aldot of php function including decode_64base
2.insttal apf
3.mod_security with good rules
4.chmod httpd.config with 600 and i get it changed after a day and i made it 700
plz any help or advice to prevent any change occured in httpd.config?
-
02-07-2008, 09:39 PM #2Disabled
- Join Date
- Aug 2002
- Posts
- 308
If hacker has root access then he can made some backdoor. And now use it. It my be ssh backdoor or any suid cgi, php script.
See to modification time httpd.conf. And after grep httpd-access log +- 1 minutes. If he uses script with apache I think you can find it.
-
02-07-2008, 09:40 PM #3Web Hosting Master
- Join Date
- Apr 2000
- Location
- California
- Posts
- 3,051
If a super user owned file is being modified, then your problems are far worse than modifying settings for PHP and disabling Base64 and setting mod_security rules. You've only so far reported doing a few trivial things, when all is said and done (a fine start, by the way, don't get me wrong), but you're now reporting something far more serious going on. Are you sure some other program isn't changing this or reverting it?
-
02-07-2008, 10:30 PM #4Newbie
- Join Date
- Apr 2005
- Posts
- 11
-
02-08-2008, 06:36 PM #5Newbie
- Join Date
- Apr 2005
- Posts
- 11
any help? please
-
02-08-2008, 08:36 PM #6Newbie
- Join Date
- Apr 2005
- Posts
- 11
also today at the same time the httpd.config is changed with the same changes
every day at 01:22 server time
the httpd.config is changed
any help plz
-
02-09-2008, 12:24 AM #7Newbie
- Join Date
- Apr 2005
- Posts
- 11
ok it was my mistake
i did not read apache configuration carefully :
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Direct modifications to the Apache configuration file may be lost upon subsequent regeneration of the #
# configuration file. To have modifications retained, all modifications must be checked into the #
# configuration system by running: #
# /usr/local/cpanel/bin/apache_conf_distiller --update #
# To see if your changes will be conserved, regenerate the Apache configuration file by running: #
# /usr/local/cpanel/bin/build_apache_conf #
# and check the configuration file for your alterations. If your changes have been ignored, then they will #
# need to be added directly to their respective template files. #
# #
# This configuration file was built from the following templates: #
# /var/cpanel/templates/apache2/main.default #
# /var/cpanel/templates/apache2/main.local #
# /var/cpanel/templates/apache2/vhost.default #
# /var/cpanel/templates/apache2/vhost.local #
# /var/cpanel/templates/apache2/ssl_vhost.default #
# /var/cpanel/templates/apache2/ssl_vhost.local
-
02-11-2008, 10:49 AM #8Newbie
- Join Date
- Feb 2008
- Posts
- 12
Hello,
Let me tell u one thing.. if your server is hacked i suggest you to do an osreload and then start from the scratch.
1) Secure your server (like change ssh port, disable root login,installing firewalls.. etc)
2)Then start to restore your accounts.
This is clean all your exploits in this server.
Please let me know if you need any guidance in this matter.
<<signatures are to be set up in your profile>>Last edited by bear; 02-22-2008 at 08:58 AM.