[ale] apache recovery
    Jonathan Glass (IBB) 
    jonathan.glass at ibb.gatech.edu
       
    Thu Sep 19 04:15:28 EDT 2002
    
    
  
Add to that: mount the old drive read-only,noexec,nosuid,noguid to
prevent any Trojans from running. 
Jonathan Glass
RHCE, A+, Network+, Linux+, MCP
478-474-2417
478-737-7742
-----Original Message-----
From: Jim Popovitch [mailto:jimpop at rocketship.com] 
To: ale at ale.org
Sent: Thursday, September 19, 2002 1:43 AM
To: ale at ale.org
Subject: RE: [ale] apache recovery
Hi Robert,
As far as httpd errors, none of those are problems.  I see those in my
log
files all the time.  Your issue seems to be just that your root
partition
filled up.  You need to delete some data so that /tmp has space (boot
into
single user mode).  I would also suggest putting /var and /tmp on
separate
partitions.
As for your ftp server... I would advise disabling it.  In my opinion
there
isn't a good ftp server.
It is impossible to say that your box wasn't hacked, the best thing to
do
would be go buy a new harddrive at MicroCenter (~$100) and install
Mandrake
8.2 on it.  Then mount the old disk and copy user files over.
-Jim P.
> -----Original Message-----
> From: Robert E. Karaffa, II [mailto:rkaraff at emory.edu]
> Sent: Thursday, September 19, 2002 12:12 AM
> To: ale at ale.org
> Subject: [ale] apache recovery
>
>
> Hi folks,
>    Our little apache web server (Mandrake 8.0) was brought down
> yesterday by a
> bot, I think.  It was looking for a Windows box to infest, and
> not finding one,
> it instead filled up our root partition with log entries until it
> was full,
> thus rendering our server useless.  Here's some log entries from
> /var/log/http:
>
> [Sun Sep  1 10:30:37 2002] [error] [client 66.77.73.236] File
> does not exist: /
> var/www/html/robots.txt
> [Mon Sep  2 01:03:47 2002] [error] [client 170.140.204.127] File does
not
> exist: /var/www/html/robots.txt
> [Mon Sep  2 07:54:01 2002] [error] [client 24.214.140.223]
> Invalid method in
> request /
> [Sat Sep  7 17:24:30 2002] [error] [client 217.235.10.17] File
> does not exist:
> /var/www/html/scripts/..¿Ã../winnt/system32/cmd.exe
> [Sat Sep  7 20:49:42 2002] [error] [client 212.185.249.88] File
> does not exist:
> /var/www/html/request/failed/index_failed.htm
> [Sun Sep  8 01:04:20 2002] [error] [client 170.140.204.127] File does
not
> exist: /var/www/html/robots.txt
> [Sun Sep  8 08:43:25 2002] [error] [client 200.158.124.149] Client
sent
> malformed Host header
> [Sun Sep  8 09:08:29 2002] [error] [client 66.1.110.186] Client
> sent malformed
> Host header
> [Sun Sep  8 12:36:39 2002] [error] [client 204.253.57.44] File
> does not exist:
> /var/www/html/scripts/..%5c%5c../winnt/system32/cmd.exe
> [Mon Sep  9 01:06:03 2002] [error] [client 170.140.204.127] File does
not
> exist: /var/www/html/robots.txt
>
> I'm too dumb to figure out just what happened.  It DID happen
> over a period of
> time, not just yesterday.  So, we're trying to recover as best we
> can, and I've
> some questions for you gurus in ale.org land:
>
> -I don't think we'll have to reinstall our OS...but I'm not
> confident of that
> quite yet.
> -we used this box for ftp server, web server, and AppleShareIP
> server.  It
> therefore contains alot of user information that we'd like to keep.
Can
> anybody tell me how to restore the users and groups list if we do
> indeed re-
> install?  I'm surfing the net for help, so I'd appreciate any
> feedback from any
> of you.
>
> -Is it as easy as copying the passwd file and .htaccess?  Am I
> close?  The
> accounts that have been created over the past couple of years of
> use we would
> like not to lose.  The data in the accounts is not that critical,
> as we can
> easily back that up and restore it properly.
>
> Here's the entry in /var/log/http/error.log that caught our attention:
>
> [Sat Sep 14 11:14:08 2002] [error] [client 216.1.217.140] File
> does not exist:
> /var/www/html/galaxy_7171.7517
>
>
> Anybody know what "galaxy_7171.7157" is?
>
> Interestingly enough, last night I was doing some reading on
> grc.com.  The saga
> of the DoS attack by the 13-yr old script kiddie made for good
> reading.  Does
> it look like we were attacked by this method?
>
> Thanks for any help anybody can render.
>
>
>
>
>
> --
> -Bob K.
>
> **************************
> Robert E. Karaffa, II
> Technical Director
> Emory University
> Flow Cytometry Core Facility
> 1365 B Clifton Rd., Room B5133
> Atlanta, Ga 30322
> voice: 404/712-4429
> e-mail: rkaraff at emory.edu
> **************************
>
>
> --
> -Bob K.
>
> **************************
> Robert E. Karaffa, II
> Technical Director
> Emory University
> Flow Cytometry Core Facility
> 1365 B Clifton Rd., Room B5133
> Atlanta, Ga 30322
> voice: 404/712-4429
> e-mail: rkaraff at emory.edu
> **************************
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info.
> Problems should be
> sent to listmaster at ale dot org.
>
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems
should be 
sent to listmaster at ale dot org.
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
    
    
More information about the Ale
mailing list