apache 1.3.36 is really secured?

[AlexandreVeezon]

Hello people...

one more question in here.
Anybody knows about security fails in apache 1.3.36?
exists the possibility of anyone execute any malicious script in a secured machine through apache?
And worst, can anyone replace all index.php of all domains through apache?

hehehe

questions, questions...
I have to discover how one hacker have access to system through apache.
And how to block this

any help will be appreciated

thank you

 

[AndyReed]

Anybody knows about security fails in apache 1.3.36?

exists the possibility of anyone execute any malicious script in a secured machine through apache?
And worst, can anyone replace all index.php of all domains through apache?

Apache is just a software application running on the system. The vast majority of attacks are aimed at the systems themselves. As someone has pointed out,
"If you have 1GB/s heading for your server then the pipe is going to saturate before Apache even gets a chance to see the packets."

I suggest you either go to a bookstore or a library in your home-town and find books discussing Apache and security. You can also google. Here is one site that discusses Apache and security:
http://www.securitydocs.com/Web_Security/Apache

questions, questions...
I have to discover how one hacker have access to system through apache.
And how to block this

This is the $64,000 question. When you find the answer, please post it here. Good luck! :D

 

[chirpy]

And worst, can anyone replace all index.php of all domains through apache?

If it's on all sites on the server it's most likely an exploited php script on the server. You'll have to do some trawling through the domain logs in /usr/local/apache/domlogs to find out which script is to blame.

 

[AlexandreVeezon]

Thank you chirpy and AndyReed.

I'll see your suggestions and post my working in here...
But now, I have to discover the domain that host the script, because this attack cames from a non-customer

This is the $64,000 question. When you find the answer, please post it here. Good luck! :D

And AndyReed, if I find the answer, it will cost less than 64,000 :D

 

[AlexandreVeezon]

well, as I said... I'll post in here the my discovery...

Well, the problem start because one domain host one file called c99.php
Anyone know that? C99 Shell.. if you search it on google, you'll see several links.

This script let anyone have access to machine easily, including searching files, execute comands as chmod, touch, ls, cd, and much more.
This script only works in machines that don't have mod_security installed. In my case, this isn't the problem.. the problem... the BIGG big really big trouble is this lines:

<IfModule mod_security.c>
    SecFilterEngine Off
    SecFilterScanPOST Off
</IfModule>

When inserted in .htaccess, all mod_security goes down to domain.

So, the new question is:
How to make mod_security ignore .htaccess disable file?

Just one more thing... With c99.php, the people upload one file called dc.pl
limited with chmod 750 /usr/bin/perl

Well, maybe we can solve all the issues helping each other hehe
thank you!

 

[patryk]

Turn on safe_mode and open_basedir protection to avoid such problems.

 

[AlexandreVeezon]

Sure, but its is only one solution...

the big answer is: "how to mod_security is not ignored in .htaccess file"

well... let's wait for more people to give their words

 

[pross]

Sure, but its is only one solution...

the big answer is: "how to mod_security is not ignored in .htaccess file"

well... let's wait for more people to give their words

You can compile mod_security with the -DDISABLE_HTACCESS_CONFIG flag which will prevent any users disabling or modifying your mod_security ruleset.

the answer was already in the forums!

 

[AlexandreVeezon]

Yeahhhh!!!

I'll try! :D

Thank you!

 

[agressor]

and how i can add -DDISABLE_HTACCESS_CONFIG this flag and where?

 

[asterisk]

You can do that by compiling mod_security with that flag.