My Apache was hacked

[imryn]

Hello Folks,

Well it appears that my Apache was scan'd and hack'd . I there are entries as root like " ./apache-scan 209 215 165 " & " cp all.log " & " rm -rf all.log " you get the point I am sure. Now I can not boot up my Linux Server correctly, Where did I go wrong? Can Apache be configured differently to prevent that scaning for open ports?

Thanks,
Ryan

 

[ericbrunson]

They didn't necessarily come in through apache. What OS are you on?

 

[imryn]

RedHat 7.3 with a moderate Firewall, meaning no ftp, or telnet open, at least so I thought...

 

[ericbrunson]

RH 7.3 is, what? 4 years old? There's no count of possible security flaws that have been fixed since then.

You need to reinstall you operating system now to be sure it's not backdoored, there's no way around it. You should take this opportunity to upgrade to something more up to date and keep on top of the security updates.

Then you should take a *far* more fascist approach to firewalling. Lock down all ports except what you definitely want people to access.

 

[imryn]

ericbrunson,

Thanks for the tid bit. I am going to update teh system now. To Fedora I believe, However I did manage to find out that the perp used ssh to install tar balls to my tmp directory...And your right about the back door. do you think it's better to go with a cisco router or let Linux firewall handle the ports for the linux server?

Thanks,
Ryan

 

[lgarner]

Linux (Iptables) can do the job. An external firewall would provide a first line of defense and is what I'd recommend. You'll probably want some type of lockdown on the server itself anyway to prevent internal users from abusing it.

 

[imryn]

lgarner, Thank you, I was wondering if I should go ahead a buy both. And that was what I was looking for.

Thank You,
Ryan