Results 1 to 8 of 8
  1. #1

    help , httpd.config changed 3 times but

    hello
    httpd.config changed since my server was hacked but they can not control it , they just delete db from mysq and they can not bypass direcoty

    i upgrade to 2.2.8 apache
    i make full security

    but still i get strange problem that i found the httpd.config
    changed to make the .ht work by override option
    i make this:
    <Directory "/">
    Options all
    AllowOverride none
    </Directory>

    but after day i get it changed to be:
    <Directory "/">
    Options all
    AllowOverride all
    </Directory>

    i installed mod_security
    and after a day i get the httpd.config was changed to make mod_secrity not work and also to make :allowoverride all!!

    i think there is way for attacker to alter httpd.config

    i made a lot of security :
    1.disable aldot of php function including decode_64base
    2.insttal apf
    3.mod_security with good rules
    4.chmod httpd.config with 600 and i get it changed after a day and i made it 700

    plz any help or advice to prevent any change occured in httpd.config?

  2. #2
    If hacker has root access then he can made some backdoor. And now use it. It my be ssh backdoor or any suid cgi, php script.

    See to modification time httpd.conf. And after grep httpd-access log +- 1 minutes. If he uses script with apache I think you can find it.

  3. #3
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    If a super user owned file is being modified, then your problems are far worse than modifying settings for PHP and disabling Base64 and setting mod_security rules. You've only so far reported doing a few trivial things, when all is said and done (a fine start, by the way, don't get me wrong), but you're now reporting something far more serious going on. Are you sure some other program isn't changing this or reverting it?

  4. #4
    Quote Originally Posted by ISPserver View Post
    If hacker has root access then he can made some backdoor. And now use it. It my be ssh backdoor or any suid cgi, php script.

    See to modification time httpd.conf. And after grep httpd-access log +- 1 minutes. If he uses script with apache I think you can find it.
    could u plz give me the command
    i get the time of httpd.config changed
    it is: 01:22

    so could u write the command that i usedin ssh

    thank u very much

  5. #5
    any help? please

  6. #6
    also today at the same time the httpd.config is changed with the same changes

    every day at 01:22 server time
    the httpd.config is changed

    any help plz

  7. #7
    ok it was my mistake
    i did not read apache configuration carefully :

    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    # Direct modifications to the Apache configuration file may be lost upon subsequent regeneration of the #
    # configuration file. To have modifications retained, all modifications must be checked into the #
    # configuration system by running: #
    # /usr/local/cpanel/bin/apache_conf_distiller --update #
    # To see if your changes will be conserved, regenerate the Apache configuration file by running: #
    # /usr/local/cpanel/bin/build_apache_conf #
    # and check the configuration file for your alterations. If your changes have been ignored, then they will #
    # need to be added directly to their respective template files. #
    # #
    # This configuration file was built from the following templates: #
    # /var/cpanel/templates/apache2/main.default #
    # /var/cpanel/templates/apache2/main.local #
    # /var/cpanel/templates/apache2/vhost.default #
    # /var/cpanel/templates/apache2/vhost.local #
    # /var/cpanel/templates/apache2/ssl_vhost.default #
    # /var/cpanel/templates/apache2/ssl_vhost.local

  8. #8
    Hello,

    Let me tell u one thing.. if your server is hacked i suggest you to do an osreload and then start from the scratch.

    1) Secure your server (like change ssh port, disable root login,installing firewalls.. etc)
    2)Then start to restore your accounts.

    This is clean all your exploits in this server.
    Please let me know if you need any guidance in this matter.

    <<signatures are to be set up in your profile>>
    Last edited by bear; 02-22-2008 at 08:58 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •