[ic] Urgent Help

Murray Gibbins Murray@scotweb.ltd.uk
Mon, 05 Mar 2001 15:28:38 +0000


Robert Trembath wrote:
> 
> I think someone was trying to hack our machine this morning. Found some
> files in the /tmp directory that apache wrote containing this:
> 
> Not Found
> The requested URL /orders/orders.txt was not found on this server.
> 
> Not Found
> The requested URL /orders/import.txt was not found on this server.
> 

ok that's just a problem with httpd.conf, may not indicate a hack, more likely a
problem with a document root inside  virtual host or Alias or Script alias. Your
file permissions may be wonky too.


> Authorization Required
> This server could not verify that you are authorized to access the document
> requested. Either you suppliđ8■ed the wrong credentials (e.g., bad
> password), or your browser doesn't understand how to supply the credentials
> required.

i wouldn't worry about that. If a real hacker got in then you would not have
this type of log file hanging around. But if in doubt may I suggest format
/dev/hda

> I believe someone was looking for credit card info and config info on our
> server. What do you think? I do have the IP's logged but they are probably
> bogus.

The correct approach is "My machine is connected to the internet, therefore I
will assume that it is hacked (hackable) until it is hacked". The precautionary
approach will work best for machines inside DMZ's.

The "Scientific method" will solve all your problems and tell you what's
happening.

Yours

Murray

http://www.morpheux.org

-- 
  ____
  \__/    Murray Gibbins             murray@scotweb.ltd.uk
  /  \    Programmer
_ \__/ _  ================================================
\\ || //  Scotweb Limited,             info@scotweb.ltd.uk
 \\||//   13a Albert Terrace,    http://www.scotweb.ltd.uk
  \||/    Edinburgh EH10 5EA   Tel: +44 (0)  131 270 82 33
   ||     Scotland. Europe.    Fax: +44 (0) 7020  93 49 04