I don't know if it's the correct place to post this.

This morning our monitors informed us that a 25mb file has been loaded into linux tmp directory through apache server and that scripts were blocked (thanks to security).

After looking at that stuff, we realized that someone is using a hole in apache to upload and activate scripts that create links into PR3+ pages. There is a xml file list of 250 links with anchor texts. All links are from Asia and South Pac sites all PR0 or PR1. we contacted several of them via email but no answer yet.

I read about something like this few months ago but didn't know it was applicable to get back links!

So if you see links you don't know about... look for scripts in tmp files and ask your ing or host to fix apache holes.

Damn SEO's!

That's pretty messed up stuff. Glad you caught them.

I don't know if it's the correct place to post this.

This morning our monitors informed us that a 25mb file has been loaded into linux tmp directory through apache server and that scripts were blocked (thanks to security).

After looking at that stuff, we realized that someone is using a hole in apache to upload and activate scripts that create links into PR3+ pages. There is a xml file list of 250 links with anchor texts. All links are from Asia and South Pac sites all PR0 or PR1. we contacted several of them via email but no answer yet.

I read about something like this few months ago but didn't know it was applicable to get back links!

So if you see links you don't know about... look for scripts in tmp files and ask your ing or host to fix apache holes.

I think you should find patches for linux kernel.

I think you should find patches for linux kernel.

After further investigation, the hacker came through using an open relay - almost impossible to track down so we asked the relay to close its doors.

At first we were thinking at a hole in apache but it looks weird as we are up-to-date.
Looking at log files and other techy stuff (don't ask me) :) we found out that the hacker used a hole in awstats (we have 6.3) letting him trying to run scripts - fortunatly awstats runs under apache not root as user. If not we were good to reload the backup or clean the mess by hand. Now awstats is locked and only authentified users have access.

Also, there is the latest patch available from Awstats (6.4 - 2/14/2005) which fixes 3 more security risks: http://awstats.sourceforge.net/docs/awstats_changelog.txt but is not prod yet...

We got lucky this time...:) what's next?

Ya, phpbb.com was recently hacked because of AWStats to...

I dont use AWStats, webalizer for me ;)


Josh

I'd just remove awstats completely, until the next final release. Replacing a vulnerable release, with a development release, is just asking for more problems.