[NCLUG] Ramen
Michael Dwyer
mdwyer at sixthdimension.com
Tue Apr 3 12:47:10 MDT 2001
> Hi,
> I'm cleaning up our web server after someone screwed us through
> bind. The cracker claims to have used a variant of the ramen worm.
We went
> through the several steps involved in cleaning up after the attack,
and we
[Gets up on soapbox]
Hey everyone! Remove/patch/firewall your RPC services!
Remove/Disable/Patch your ftpd! Remove/Patch/Disable your BIND named!
Disable/Firewall/Patch your LPD! If Ramen doesn't find you Lion will!
http://www.sans.org/y2k/lion.htm
[gets down from soapbox]
> had a complete backup of the htdocs directory, which is restored now.
But
> none of the CGI is working -- I get "premature end of script headers"
errors
> now. I've tested the scripts from the command line, as nobody, and
they
> work fine. But the web server won't run them.
This link gives you the lowdown on why this error occurs:
http://httpd.apache.org/docs/misc/FAQ-F.html#premature-script-headers
However, you believe that nothing has changed to make these
once-functioning scripts fail? Are the scripts still generating full
HTTP headers? Did you change the version of the Apache when you fixed
the hacker attack? There were some issues with some beta Win32 versions
of Apache with respect to this. Maybe you installed a new Apache and
forgot to add Mod Perl or something?
More information about the NCLUG
mailing list