Has my site been cracked? - Suse

This is a discussion on Has my site been cracked? - Suse ; I just checked my site and all I saw was "It works" That was just the main page, the rest seemed to be OK when I browsed some direct URL:s there. I saw that a new index.html: It works! This ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 22

Thread: Has my site been cracked?

  1. Has my site been cracked?

    I just checked my site and all I saw was "It works"
    That was just the main page, the rest seemed to be OK when I browsed
    some direct URL:s there.

    I saw that a new index.html:

    It works!



    This file had appeared on the main level.

    First I thought that something had gone south when also apache had
    happened to get an update.

    But this file had been created by root yesterday evening 22:16 which
    meant that the update could not have been the culprit.

    (That would have been strange anyway, although it would have been an
    explanation)

    I then checked /var/log/messages from the creation time and saw this:


    Nov 5 22:14:40 a88-112-22-105 sshd[9021]: reverse mapping checking
    getaddrinfo for 70-175.111.65.serverpronto.com [65.111.175.70] failed -
    POSSIBLE BREAK-IN ATTEMPT!


    Then also several lines of this kind:

    Nov 5 22:14:40 a88-112-22-105 sshd[9021]: Invalid user teamspeak from
    65.111.175.70



    Then Blockhosts blocks the address:
    Nov 5 22:14:40 a88-112-22-105 sshd[9027]: refused connect from
    65.111.175.70 (65.111.175.70)

    The new index.html had been created _after_ this, at 22:16.

    I removed it and as it looks now, the rest is OK.

    WTF? (Welcome to Finland)

    Vahis
    --
    http://waxborg.servepics.com
    "There will come a time when every evil
    That we know will be an evil...
    That we can rise above" - Frank Zappa

  2. Re: Has my site been cracked?

    Vahis wrote:
    > I just checked my site and all I saw was "It works"
    > That was just the main page, the rest seemed to be OK when I browsed
    > some direct URL:s there.
    >
    > I saw that a new index.html:
    >
    >

    It works!


    >
    > This file had appeared on the main level.


    So at http://localhost/index.html

    Do you still have index.php and what not? Did it added the file or
    overwrite it?

    > First I thought that something had gone south when also apache had
    > happened to get an update.


    Could be something else that you installed as well. e.g. a package that
    makes things available via a website like Amarok. Filled out the wrong
    things or detected things wrongly and there you are.

    > But this file had been created by root yesterday evening 22:16 which
    > meant that the update could not have been the culprit.
    >
    > (That would have been strange anyway, although it would have been an
    > explanation)
    >
    > I then checked /var/log/messages from the creation time and saw this:
    >
    >
    > Nov 5 22:14:40 a88-112-22-105 sshd[9021]: reverse mapping checking
    > getaddrinfo for 70-175.111.65.serverpronto.com [65.111.175.70] failed -
    > POSSIBLE BREAK-IN ATTEMPT!
    >


    It is a failed attempt. So the system did what it is supposed to do.
    Block attempts that are not legid.

    > Then also several lines of this kind:
    >
    > Nov 5 22:14:40 a88-112-22-105 sshd[9021]: Invalid user teamspeak from
    > 65.111.175.70
    >
    >


    So these are blocked as well.

    > Then Blockhosts blocks the address:
    > Nov 5 22:14:40 a88-112-22-105 sshd[9027]: refused connect from
    > 65.111.175.70 (65.111.175.70)


    Yes, also expected behaviour. Blockhosts 'sees' the IP do a login
    attempt on sshd. After a certain amount of times (4 with me) it blocks
    all access from that IP adress.

    So in /var/log/messages you see the failed attempts.
    In hosts.allow you see what will be blocked later on.

    What you must be interested in is not failed attempts, but allowed
    attempts.

    > The new index.html had been created _after_ this, at 22:16.
    >
    > I removed it and as it looks now, the rest is OK.
    >
    > WTF? (Welcome to Finland)


    My quess is that it is added by some program you installed or files you
    installed. Check the date to be 100% sure it is actualy created then and
    not 1 year ago when you installed the system.

    The reason then for not noticing it is that you use index.php as a
    standard and that means that index.php will be called and never
    index.html

    houghi
    --
    Come to think of it, there are already a million monkeys on a million
    typewriters, and Usenet is NOTHING like Shakespeare.
    -- Blair Houghton

  3. Re: Has my site been cracked?

    On 2008-11-06, houghi wrote:
    > Vahis wrote:
    >> I just checked my site and all I saw was "It works"
    >> That was just the main page, the rest seemed to be OK when I browsed
    >> some direct URL:s there.
    >>
    >> I saw that a new index.html:
    >>
    >>

    It works!


    >>
    >> This file had appeared on the main level.

    >
    > So at http://localhost/index.html


    Yes.

    >
    > Do you still have index.php and what not? Did it added the file or
    > overwrite it?


    It just appeared. And index.php was still there, too.

    Back in the days I had index.html there. it was all
    different. It was the whole starting page of my site, not that single
    line.

    It had been removed many moons ago because if it is there it is shown
    and not the index.php.

    >
    >> First I thought that something had gone south when also apache had
    >> happened to get an update.

    >
    > Could be something else that you installed as well. e.g. a package that
    > makes things available via a website like Amarok. Filled out the wrong
    > things or detected things wrongly and there you are.


    I didn't install anything. I was in bed at that time.
    The patches from the update repo are installed automagically,
    I'm in bed then.

    >
    >> But this file had been created by root yesterday evening 22:16 which
    >> meant that the update could not have been the culprit.
    >>
    >> (That would have been strange anyway, although it would have been an
    >> explanation)
    >>
    >> I then checked /var/log/messages from the creation time and saw this:
    >>
    >>
    >> Nov 5 22:14:40 a88-112-22-105 sshd[9021]: reverse mapping checking
    >> getaddrinfo for 70-175.111.65.serverpronto.com [65.111.175.70] failed -
    >> POSSIBLE BREAK-IN ATTEMPT!
    >>

    >
    > It is a failed attempt. So the system did what it is supposed to do.
    > Block attempts that are not legid.


    Quite right. There are lots of them.
    They obviously have nothing to do with this matter.
    >
    >> Then also several lines of this kind:
    >>
    >> Nov 5 22:14:40 a88-112-22-105 sshd[9021]: Invalid user teamspeak from
    >> 65.111.175.70
    >>
    >>

    >
    > So these are blocked as well.


    Quite right.
    >
    >> Then Blockhosts blocks the address:
    >> Nov 5 22:14:40 a88-112-22-105 sshd[9027]: refused connect from
    >> 65.111.175.70 (65.111.175.70)

    >
    > Yes, also expected behaviour. Blockhosts 'sees' the IP do a login
    > attempt on sshd. After a certain amount of times (4 with me) it blocks
    > all access from that IP adress.


    Yes. I have also made a howto about Blockhosts on my Finnish pages.
    In English that would obviously be unnecessary.
    >
    > So in /var/log/messages you see the failed attempts.
    > In hosts.allow you see what will be blocked later on.


    Quite right.
    >
    > What you must be interested in is not failed attempts, but allowed
    > attempts.
    >
    >> The new index.html had been created _after_ this, at 22:16.
    >>
    >> I removed it and as it looks now, the rest is OK.
    >>
    >> WTF? (Welcome to Finland)

    >
    > My quess is that it is added by some program you installed or files you
    > installed. Check the date to be 100% sure it is actualy created then and
    > not 1 year ago when you installed the system.


    The time I saw first was without date. Here's some more:

    ls -l
    44 2004-11-20 22:16 index.html

    Back in 2004 this site didn't exist.

    ls -lc
    44 2008-11-06 11:28 index.html

    That's when I moved (isolated) it to a different location.

    >
    > The reason then for not noticing it is that you use index.php as a
    > standard and that means that index.php will be called and never
    > index.html


    Here it shows if it is there. Index.php shows only if no index.html is there.
    That's why I saw this new index.html today. Yesterday it was not there.

    I have some directories where I have an index.html. They are outside the
    php part of the site. Then there is no index.php.

    The reason for having html pages is that for example this page will not
    work in a WordPress page:

    http://waxborg.servepics.com/english...uptime.en.html

    The script described there does not work in a WordPress page.
    At least I can't make it work.

    My guess is that this new file appeared somehow because of the apache
    update patch.

    Isn't that the default file you see after successful initial installation of
    Apache?

    Also ls -l points to that direction IMHO.

    Vahis
    --
    http://waxborg.servepics.com
    "There will come a time when every evil
    That we know will be an evil...
    That we can rise above" - Frank Zappa

  4. Re: Has my site been cracked?

    On Thu, 6 Nov 2008, Vahis wrote:-

    >I didn't install anything. I was in bed at that time.
    >The patches from the update repo are installed automagically,
    >I'm in bed then.


    And you don't know what patches/packages are installed?



    >The time I saw first was without date. Here's some more:
    >
    >ls -l
    >44 2004-11-20 22:16 index.html


    I have one of those, with the exact same timestamp. It's installed by
    the package apache2-example-pages-2.2.4 which was recently updated to
    70.6:

    davjam@adder:/local2/possible-viruses> sudo zypper -v up
    Verbosity: 1
    Initialising Target
    Checking whether to refresh metadata for 10.3 updates
    Checking whether to refresh metadata for Davjams-repository 10.3
    Checking whether to refresh metadata for Packman Repository
    Checking whether to refresh metadata for http://download.opensuse.org/reposit.../openSUSE_10.3
    Checking whether to refresh metadata for VideoLan Repository
    Checking whether to refresh metadata for openSUSE_tools_devel
    Checking whether to refresh metadata for devel_tools_building
    Checking whether to refresh metadata for openSUSE_tools

    ...

    The following packages are going to be upgraded:
    ...
    apache2-doc-2.2.4-70.6.x86_64 (10.3 updates)
    apache2-utils-2.2.4-70.6.x86_64 (10.3 updates)
    apache2-prefork-2.2.4-70.6.x86_64 (10.3 updates)
    apache2-devel-2.2.4-70.6.x86_64 (10.3 updates)
    apache2-worker-2.2.4-70.6.x86_64 (10.3 updates)
    apache2-2.2.4-70.6.x86_64 (10.3 updates)
    apache2-example-pages-2.2.4-70.6.x86_64 (10.3 updates)

    The following patches are going to be upgraded:
    ...
    apache2-5648-0.noarch (10.3 updates)

    The following NEW message is going to be installed:
    libopensc2-5587-patch-message-2-5587-1.noarch (10.3 updates)

    ...

    Overall download size: 138.3 M. After the operation, additional 1.1 M will be used.
    Continue? [yes/no]:



    >My guess is that this new file appeared somehow because of the apache
    >update patch.


    It did.

    >Isn't that the default file you see after successful initial installation of
    >Apache?


    Yes.

    Now you see what happens when you're not watching your machine 24/7. It
    gets up to all sorts of mischief and has you worrying all for nothing
    :-)


    Regards,
    David Bolt

    --
    Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s
    SUSE 10.1 32 | | openSUSE 10.3 32b | openSUSE 11.0 32b
    | openSUSE 10.2 64b | openSUSE 10.3 64b | openSUSE 11.0 64b
    RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC | RISC OS 3.11

  5. Re: Has my site been cracked?

    Vahis wrote:
    >> My quess is that it is added by some program you installed or files you
    >> installed. Check the date to be 100% sure it is actualy created then and
    >> not 1 year ago when you installed the system.

    >
    > The time I saw first was without date. Here's some more:
    >
    > ls -l
    > 44 2004-11-20 22:16 index.html
    >
    > Back in 2004 this site didn't exist.


    No, but a package that you installed did. RPM does not change the date
    of a file when it puts it where it puts it.

    So if you install something that has not changed the index.html since
    then (and why should they?) that is the date you will see.

    houghi
    --
    Come to think of it, there are already a million monkeys on a million
    typewriters, and Usenet is NOTHING like Shakespeare.
    -- Blair Houghton

  6. Re: Has my site been cracked?

    On 2008-11-06, houghi wrote:
    > Vahis wrote:
    >>> My quess is that it is added by some program you installed or files you
    >>> installed. Check the date to be 100% sure it is actualy created then and
    >>> not 1 year ago when you installed the system.

    >>
    >> The time I saw first was without date. Here's some more:
    >>
    >> ls -l
    >> 44 2004-11-20 22:16 index.html
    >>
    >> Back in 2004 this site didn't exist.

    >
    > No, but a package that you installed did. RPM does not change the date
    > of a file when it puts it where it puts it.
    >
    > So if you install something that has not changed the index.html since
    > then (and why should they?) that is the date you will see.
    >


    Since I'm sure that the only thing that got installed was the apache patch
    I'm guessing that the patch caused this.

    Cos I think I remember seeing this when browsing to http://localhost for
    the very first time right after installing Apache.

    Since then the file got changed and later it got removed.
    Now the original somehow got back from somewhere.

    I can live with that.

    Vahis
    --
    http://waxborg.servepics.com
    "There will come a time when every evil
    That we know will be an evil...
    That we can rise above" - Frank Zappa

  7. Re: Has my site been cracked?

    Vahis writes:

    >I just checked my site and all I saw was "It works"
    >That was just the main page, the rest seemed to be OK when I browsed
    >some direct URL:s there.


    >I saw that a new index.html:


    >

    It works!



    >This file had appeared on the main level.


    To answer your question in the Subject-- Yes.



    >First I thought that something had gone south when also apache had
    >happened to get an update.


    >But this file had been created by root yesterday evening 22:16 which
    >meant that the update could not have been the culprit.


    >(That would have been strange anyway, although it would have been an
    >explanation)


    >I then checked /var/log/messages from the creation time and saw this:


    >
    >Nov 5 22:14:40 a88-112-22-105 sshd[9021]: reverse mapping checking
    >getaddrinfo for 70-175.111.65.serverpronto.com [65.111.175.70] failed -
    >POSSIBLE BREAK-IN ATTEMPT!
    >


    This is probably irrelevant. It is further down where it says something
    like root or some user logged on.


    >Then also several lines of this kind:


    >Nov 5 22:14:40 a88-112-22-105 sshd[9021]: Invalid user teamspeak from
    >65.111.175.70


    Standard ssh breakin attempt (failed) It is not the failed ones you should
    worry about.



    >


    >Then Blockhosts blocks the address:
    >Nov 5 22:14:40 a88-112-22-105 sshd[9027]: refused connect from
    >65.111.175.70 (65.111.175.70)


    It is not the failed ones you should worry about.


    >The new index.html had been created _after_ this, at 22:16.


    >I removed it and as it looks now, the rest is OK.


    You need to do a thorough housecleaning.The best is to wipe the system and
    reinstall. Then do a search of the /home and other files you did not
    reinstall for backdoors ( eg suid files)

    Make sure everyone changes their password, and everyone changes their ssh
    keys. -- Not remotely-- force them to come to your machine in person to
    change their passwords.






  8. Re: Has my site been cracked?

    On 2008-11-06, David Bolt wrote:
    > On Thu, 6 Nov 2008, Vahis wrote:-
    >
    >>I didn't install anything. I was in bed at that time.
    >>The patches from the update repo are installed automagically,
    >>I'm in bed then.

    >
    > And you don't know what patches/packages are installed?


    Not in advance. They get installed by a cron job:
    zypper up -y -t patch --skip-interactive

    I get to know of them _afterwards_ via email
    And as I said I saw that apache patches had been applied.
    >
    >
    >
    >>The time I saw first was without date. Here's some more:
    >>
    >>ls -l
    >>44 2004-11-20 22:16 index.html

    >
    > I have one of those, with the exact same timestamp. It's installed by
    > the package apache2-example-pages-2.2.4 which was recently updated to
    > 70.6:




    >
    >>My guess is that this new file appeared somehow because of the apache
    >>update patch.

    >
    > It did.


    Thanks for confirming
    >
    >>Isn't that the default file you see after successful initial installation of
    >>Apache?

    >
    > Yes.
    >
    > Now you see what happens when you're not watching your machine 24/7. It
    > gets up to all sorts of mischief and has you worrying all for nothing


    It looks like it's not for nothing.
    For like twelve hours my main page was: "It works"

    I'm not browsing my own site 24/7. This makes me think I should.
    I'm monitoring it to see it's up. But not for the contents.

    But I have just set up openSUSE on an Eee PC. Nice gadget.
    Not too big like a real laptop, not too small like the E90.

    I was showing it to a friend and I showed him my site.
    I wasn't too happy about it. He first saw my WTF face.
    Then I fortunately found the reason and fixed it immediately.

    Actually all this would have been a good demo. He still thinks it was...

    This incident made me change the default page in its FF to my own site.
    That way it gets checked every time I open the browser on the road

    But seriously, this must be a bug.
    It can be a misconfiguration bug in my settings, too.

    Still, Apache has been updated several times during the years (since 2005)
    that I've had my site running, and nothing like this has ever happened before.

    The security patches are not supposed to change the
    contents of your site, are they?

    Vahis
    --
    http://waxborg.servepics.com
    "There will come a time when every evil
    That we know will be an evil...
    That we can rise above" - Frank Zappa

  9. Re: Has my site been cracked?

    On 2008-11-06, Unruh wrote:
    > Vahis writes:
    >
    >>I just checked my site and all I saw was "It works"
    >>That was just the main page, the rest seemed to be OK when I browsed
    >>some direct URL:s there.

    >
    >>I saw that a new index.html:

    >
    >>

    It works!


    >
    >>This file had appeared on the main level.

    >
    > To answer your question in the Subject-- Yes.
    >
    >
    >
    >>First I thought that something had gone south when also apache had
    >>happened to get an update.

    >
    >>But this file had been created by root yesterday evening 22:16 which
    >>meant that the update could not have been the culprit.

    >
    >>(That would have been strange anyway, although it would have been an
    >>explanation)

    >
    >>I then checked /var/log/messages from the creation time and saw this:

    >
    >>
    >>Nov 5 22:14:40 a88-112-22-105 sshd[9021]: reverse mapping checking
    >>getaddrinfo for 70-175.111.65.serverpronto.com [65.111.175.70] failed -
    >>POSSIBLE BREAK-IN ATTEMPT!
    >>

    >
    > This is probably irrelevant. It is further down where it says something
    > like root or some user logged on.
    >
    >
    >>Then also several lines of this kind:

    >
    >>Nov 5 22:14:40 a88-112-22-105 sshd[9021]: Invalid user teamspeak from
    >>65.111.175.70

    >
    > Standard ssh breakin attempt (failed) It is not the failed ones you should
    > worry about.
    >
    >
    >
    >>

    >
    >>Then Blockhosts blocks the address:
    >>Nov 5 22:14:40 a88-112-22-105 sshd[9027]: refused connect from
    >>65.111.175.70 (65.111.175.70)

    >
    > It is not the failed ones you should worry about.
    >
    >
    >>The new index.html had been created _after_ this, at 22:16.

    >
    >>I removed it and as it looks now, the rest is OK.

    >
    > You need to do a thorough housecleaning.The best is to wipe the system and
    > reinstall. Then do a search of the /home and other files you did not
    > reinstall for backdoors ( eg suid files)
    >
    > Make sure everyone changes their password, and everyone changes their ssh
    > keys. -- Not remotely-- force them to come to your machine in person to
    > change their passwords.
    >


    Fortunately: I am them. I am everyone

    I'll see how this goes.
    There are no further oddities so far.

    Vahis
    --
    http://waxborg.servepics.com
    "There will come a time when every evil
    That we know will be an evil...
    That we can rise above" - Frank Zappa

  10. Re: Has my site been cracked?

    Vahis wrote:
    -----------------------------------snip----------------------------------------------
    >
    > Thanks for confirming
    >>
    >>>Isn't that the default file you see after successful initial installation
    >>>of Apache?


    > The security patches are not supposed to change the
    > contents of your site, are they?
    >
    > Vahis

    If you actually use Apache then it seems there really is no need to have the
    apache2-example-pages installed. Just remove it. Afterward you wont see
    this sort of problem in the future....

    And you can make your own index.html page and put it in your /srv/www/htdocs
    folder. That way you'll know if it changes 'mysteriously' to something
    else.


    Just my 2¢ worth


    P.S. I usually change to my own index.html page immediately after a new
    install just because my page looks better.....and I can see how well the
    old memory cells are working. I like to include a little php code to make
    sure that php is working too.

    Now that's 4¢ worth.. ;-)

  11. Re: Has my site been cracked?

    Vahis wrote:
    > I'm not browsing my own site 24/7. This makes me think I should.
    > I'm monitoring it to see it's up. But not for the contents.


    It makes me think that either you should not use the example pages as
    those are, well, examples, or you should see that index.php becomes the
    default or both.

    > But seriously, this must be a bug.
    > It can be a misconfiguration bug in my settings, too.


    It is not a bug. You decided to install the examples pages. Those pages
    where updated.

    > Still, Apache has been updated several times during the years (since 2005)
    > that I've had my site running, and nothing like this has ever happened before.


    As David said, this was the example pages. That is not the same as
    Apache.

    > The security patches are not supposed to change the
    > contents of your site, are they?


    A security patch changes existing files. If you use one of those files,
    then it rightfully will change it back.

    houghi
    --
    Listen do you hear them drawing near in their search for the sinners?
    Feeding on the power of our fear and the evil within us.
    Incarnation of Satan's creation of all that we dread.
    When the demons arrive those alive would be better off dead!

  12. Re: Has my site been cracked?

    On Thu, 6 Nov 2008, Vahis wrote:-

    >On 2008-11-06, David Bolt wrote:


    >> Now you see what happens when you're not watching your machine 24/7. It
    >> gets up to all sorts of mischief and has you worrying all for nothing

    >
    >It looks like it's not for nothing.


    No, it had you worrying that your system might have been broken into
    when it hadn't.

    >For like twelve hours my main page was: "It works"


    It was true. It was working, just not how you wanted it.

    >I'm not browsing my own site 24/7. This makes me think I should.
    >I'm monitoring it to see it's up. But not for the contents.


    As Michael says, delete the example pages package and you won't have
    this surprise again.

    >But I have just set up openSUSE on an Eee PC. Nice gadget.
    >Not too big like a real laptop, not too small like the E90.


    I've seen them up close and I think they're a little too small for me.

    >I was showing it to a friend and I showed him my site.
    >I wasn't too happy about it. He first saw my WTF face.
    >Then I fortunately found the reason and fixed it immediately.
    >
    >Actually all this would have been a good demo. He still thinks it was...


    Well, it is in a way. It certainly told you it was working :-)

    >This incident made me change the default page in its FF to my own site.
    >That way it gets checked every time I open the browser on the road


    Not a bad idea.

    >But seriously, this must be a bug.


    No, it's not a bug. What happened was you deleted the file and, when the
    package was updated, a new copy was installed. If you'd modified it, the
    new copy would have been named something like index.html.rpmnew, and the
    old page would have been displayed.

    >It can be a misconfiguration bug in my settings, too.


    Well, I modified my config so this won't affect me. Check
    /etc/apache2/httpd.conf for the line starting:

    DirectoryIndex

    It contains the names of the default page to be displayed if the URL
    requested ends with '/' and is searched in the order given. Mine
    contains:

    DirectoryIndex index.htm index.htm.var index.html index.html.var index.php

    so my other pages are displayed before the default one.

    >Still, Apache has been updated several times during the years (since 2005)
    >that I've had my site running, and nothing like this has ever happened before.


    So when did you delete the old index.html?

    >The security patches are not supposed to change the
    >contents of your site, are they?


    RPM did it's job just as it should have. You had a file that was
    deleted, the file was in one of the packages that were being installed
    and so it replaced a deleted file with a fresh copy. Unfortunately, the
    effect was to hide your site.


    Regards,
    David Bolt

    --
    Team Acorn: http://www.distributed.net/ OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s
    SUSE 10.1 32 | | openSUSE 10.3 32b | openSUSE 11.0 32b
    | openSUSE 10.2 64b | openSUSE 10.3 64b | openSUSE 11.0 64b
    RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC | RISC OS 3.11

  13. Re: Has my site been cracked?

    On 2008-11-06, Michael Soibelman wrote:
    > Vahis wrote:
    > -----------------------------------snip----------------------------------------------
    >>
    >> Thanks for confirming
    >>>
    >>>>Isn't that the default file you see after successful initial installation
    >>>>of Apache?

    >
    >> The security patches are not supposed to change the
    >> contents of your site, are they?
    >>
    >> Vahis

    > If you actually use Apache then it seems there really is no need to have the
    > apache2-example-pages installed. Just remove it.


    This is an installation that has been running for ages.
    It has also been updated numerous times, see here:

    http://uptime.netcraft.com/up/graph?....servepics.com

    The default starting page after the initial installation has been
    removed immediately after starting Apache for the very first time.
    This was back in 2005.

    The contents of /htdocs have initially been made back in 2005.
    They've been updated during times through two machines before the
    current one.

    I put the current machine together last summer, installed the OS and
    Apache, put the contents in it. I did a fresh install then, changed
    to 64 bits. In August.

    > Afterward you wont see
    > this sort of problem in the future....


    But I just did, didn't I?
    All of a sudden the initial page was there, after a patch.
    That's why I was wondering.
    >
    > And you can make your own index.html page and put it in your /srv/www/htdocs
    > folder. That way you'll know if it changes 'mysteriously' to something
    > else.


    OK.
    >
    >
    > Just my 2¢ worth
    >
    >
    > P.S. I usually change to my own index.html page immediately after a new
    > install just because my page looks better.....and I can see how well the
    > old memory cells are working. I like to include a little php code to make
    > sure that php is working too.
    >
    > Now that's 4¢ worth.. ;-)

    OK.

    It seems to be fine now

    Vahis
    --
    http://waxborg.servepics.com
    "There will come a time when every evil
    That we know will be an evil...
    That we can rise above" - Frank Zappa

  14. Re: Has my site been cracked?

    On 2008-11-06, houghi wrote:
    > Vahis wrote:
    >> I'm not browsing my own site 24/7. This makes me think I should.
    >> I'm monitoring it to see it's up. But not for the contents.

    >
    > It makes me think that either you should not use the example pages as
    > those are, well, examples, or you should see that index.php becomes the
    > default or both.


    The initial index.html has been removed immediately after the initial
    installation. Long time ago.
    >
    >> But seriously, this must be a bug.
    >> It can be a misconfiguration bug in my settings, too.

    >
    > It is not a bug. You decided to install the examples pages. Those pages
    > where updated.


    No example pages in plural. Just the one index.html.
    I installed Apache via YaST. It always installs the initial page then.
    That's what you see when you browse there for the first time.

    Then you remove it. I did. This was months ago.

    Now it came from nowhere.
    >
    >> Still, Apache has been updated several times during the years (since 2005)
    >> that I've had my site running, and nothing like this has ever happened before.

    >
    > As David said, this was the example pages. That is not the same as
    > Apache.


    Please.

    >
    >> The security patches are not supposed to change the
    >> contents of your site, are they?

    >
    > A security patch changes existing files. If you use one of those files,
    > then it rightfully will change it back.


    No. A security patch changes files elsewhere, not in your pages.
    The initial installation generates this page to test that it's running.
    It's not needed ever after that. It's been removed.

    And it should not be "updated" because it's not there.
    There's been an index.html for years. My own one.

    I've changed it a lot of times,
    It's never been touched by a security patch before.

    But it's fine now

    End of case.

    Vahis
    --
    http://waxborg.servepics.com
    "There will come a time when every evil
    That we know will be an evil...
    That we can rise above" - Frank Zappa

  15. Re: Has my site been cracked?

    Vahis wrote:
    >> It is not a bug. You decided to install the examples pages. Those pages
    >> where updated.

    >
    > No example pages in plural. Just the one index.html.


    Yes example pages, as in the RPM with the example pages. At least that
    is what I got from what David posted.

    >> A security patch changes existing files. If you use one of those files,
    >> then it rightfully will change it back.

    >
    > No. A security patch changes files elsewhere, not in your pages.
    > The initial installation generates this page to test that it's running.
    > It's not needed ever after that. It's been removed.


    The security patch changes anything it tells to change. This means
    setting things up as it expects it to be.

    > And it should not be "updated" because it's not there.
    > There's been an index.html for years. My own one.


    For the system that means nothing. Updated is perhaps the wrong word.
    Set to whatever it thinks it must be, not to what you think it must be.
    Many file in /etc tell you NOT to change things, because it will be
    overwritten. For Apache there are a few that say just that.

    > I've changed it a lot of times,
    > It's never been touched by a security patch before.
    >
    > But it's fine now
    >
    > End of case.


    If you think it was a bug, file a bugreport, otherwise it WILL happen
    again.

    houghi
    --
    Listen do you hear them drawing near in their search for the sinners?
    Feeding on the power of our fear and the evil within us.
    Incarnation of Satan's creation of all that we dread.
    When the demons arrive those alive would be better off dead!

  16. Re: Has my site been cracked?

    David Bolt wrote:
    > Well, I modified my config so this won't affect me. Check
    > /etc/apache2/httpd.conf for the line starting:


    Funny that you talk about this file, because there it says:

    # If possible, avoid changes to this file. It does mainly contain
    # Include statements and global settings that can/should be overridden
    # in the configuration of your virtual hosts.

    What I do is not point to where the example pages are, but point to a
    seperate directory. That way I still have the example pages AND no
    changes happen when things get updated.

    Also because I do not use httpd.conf any update on that file (either by
    security update or by upgrading to openSUSE 17.8) won't have any
    disastrous effect.

    houghi
    --
    Listen do you hear them drawing near in their search for the sinners?
    Feeding on the power of our fear and the evil within us.
    Incarnation of Satan's creation of all that we dread.
    When the demons arrive those alive would be better off dead!

  17. Re: Has my site been cracked?

    Vahis wrote:
    >> P.S. I usually change to my own index.html page immediately after a new
    >> install just because my page looks better.....and I can see how well the
    >> old memory cells are working. I like to include a little php code to make
    >> sure that php is working too.
    >>
    >> Now that's 4¢ worth.. ;-)

    > OK.


    If you have the example pages installed, this would still overwrite it.

    So the following needs to be done to be sure
    1) After you noticed that the site is working, remove the example pages
    2) Place your own files in a seperate directory and configure one of the
    files mentioned in http.conf to point to the correct director(y|ies)

    That way you are sure to be safe for updates, upgrades and such things.

    houghi
    --
    Listen do you hear them drawing near in their search for the sinners?
    Feeding on the power of our fear and the evil within us.
    Incarnation of Satan's creation of all that we dread.
    When the demons arrive those alive would be better off dead!

  18. Re: Has my site been cracked?

    On 2008-11-06, Vahis wrote:
    > I just checked my site and all I saw was "It works"
    > That was just the main page, the rest seemed to be OK when I browsed
    > some direct URL:s there.
    >
    > I saw that a new index.html:
    >
    >

    It works!


    >
    > This file had appeared on the main level.
    >
    > First I thought that something had gone south when also apache had
    > happened to get an update.


    It obviously was the update.
    Thanks again, guys, where would I be without this group...

    Here's my conclusion of this all:

    I have first installed Apache 3 years ago.
    I have done then what you advise here now or,

    Apache's default installation via YaST then has been different.

    Which ever way, I have been upgrading my system all that time.

    I has been running 32 bit Suse from 9.3 to 11.0 on three diffrent
    machines during its life.
    The OS and software have been upgraded, the contents of /srv/ as well.

    What happened here has never happened before.
    But OTOH this is a fresh installation on 64 bit hardware last August.
    I copied the site then.

    I don't remember _ever_ disabling example pages rpm installation or
    removing it. So maybe you didn't have to do that then and now you do.
    >

    I do remember seeing "It works" and removing it though.

    Thanks again,
    Vahis
    --
    http://waxborg.servepics.com
    "There will come a time when every evil
    That we know will be an evil...
    That we can rise above" - Frank Zappa

  19. Re: Has my site been cracked?

    Vahis wrote:
    > It obviously was the update.
    > Thanks again, guys, where would I be without this group...


    Probably having a life of some sort. ;-)

    > I don't remember _ever_ disabling example pages rpm installation or
    > removing it. So maybe you didn't have to do that then and now you do.


    So? You still seem to think that the system did something wrong. It
    didn't. You install a file. An update is done. These updates have not
    all the files, but just those that needs to be updated.

    In the past index.html was not there and now it was.

    Another possibilaty is that this is the first time the example pages get
    a security update and that has never happend before. Or the updates that
    happend where done right when you installed.

    It is not because it has never happend that when it happens it isn't
    expected behaviour from the point of vieuw of the system.

    Security updates change things on your system. That is what they do.
    That is expected behaviour. This time it was index.html, next time it is
    /etc/apache2/http.conf and the next time it replaces your kernel.

    At least now you learned why many companies do not do a security update,
    unless they have tested it in a secure enviroment. ;-)

    houghi
    --
    Listen do you hear them drawing near in their search for the sinners?
    Feeding on the power of our fear and the evil within us.
    Incarnation of Satan's creation of all that we dread.
    When the demons arrive those alive would be better off dead!

  20. Re: Has my site been cracked?

    On 2008-11-07 05:10, Vahis wrote:

    >
    > The contents of /htdocs have initially been made back in 2005.
    > They've been updated during times through two machines before the
    > current one.



    The best thing you can do is to not use htdocs as your site,
    but just leave it as your default server, eg. where you get all
    hits to your IP-address, while your site waxborg has it's own
    documentroot and virtual by name container.

    Just create /etc/apache2/vhosts.d/waxborg.conf with something like:
    ort>

    ServerName waxborg.servepics.com
    DocumentRoot /srv/www/waxborg

    .......

    and move your site to /srv/www/waxborg/

    If someone insist typing www.waxborg.servepics.com you can redirect them
    with:
    ort>
    ServerName www.waxborg.servepics.com
    Redirect permanent / http://waxborg.servepics.com/


    and access to http://your-IP will give "It Works" since they are not visitors
    anyway, just email harvest bots.


    /Birre

+ Reply to Thread
Page 1 of 2 1 2 LastLast