[NCLUG] Ramen

Rich Young rich at ExperiencePlus.Com
Tue Apr 3 11:36:16 MDT 2001


Hi,
	I'm cleaning up our web server after someone screwed us through
bind.  The cracker claims to have used a variant of the ramen worm.  We went
through the several steps involved in cleaning up after the attack, and we
had a complete backup of the htdocs directory, which is restored now.  But
none of the CGI is working -- I get "premature end of script headers" errors
now.  I've tested the scripts from the command line, as nobody, and they
work fine.  But the web server won't run them.
	I've replaced httpd.conf with a backup (from months ago, long before
the attack, when they ran fine), run chmod a+x on the scripts, etc.  I want
to think it's some wierd permissions issue, but it seems not to be the case.
Anybody?
--Rich
rich at xplus dot com
ps You'll get our "We've been cracked" message if you visit the site right
now, which is intentional.  If you want to see a script fail, try:
http://www.explus.com/tour_finder/index.cgi



More information about the NCLUG mailing list