Good Morning,<br><br>A client's website has been hacked and I have been asked to help see how the site was attacked. It looks like the attacked used some sort of HTML injection method to replace certain pages.<br><br>
The server is running Redhat 5.3, Apache 2.2.3 and PHP 5.1.6.<br><br>Here is the results after running Nikto:<br><br># perl <a href="http://nikto.pl">nikto.pl</a> -C all -h localhost<br>- Nikto v2.1.0/2.1.0<br>---------------------------------------------------------------------------<br>
+ Target IP: 127.0.0.1<br>+ Target Hostname: localhost<br>+ Target Port: 80<br>+ Start Time: 2010-01-19 9:12:09<br>---------------------------------------------------------------------------<br>
+ Server: Apache/2.2.3 (Red Hat)<br>+ OSVDB-0: Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.14). Apache 1.3.41 and 2.0.63 are also current.<br>+ OSVDB-0: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE <br>
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST<br>+ OSVDB-6659: /bLkjN0GcpsIVBsvYB4CcZLGBywbNJC4TDnAklbt4zTA8gLwJn25bpt5mEkS8SVr0I94eIYm4KAhngx6wEpUPzqIAz5wnbuvirLbw83LOxGlpUJ5yO2EZC0JwoOQZ8kM8viHbDXF7HEf2eQ1Bjixo675Ovds3ylcTXxJtQGALIFdagefzKMdhhHwGaSIXKXBIPOt8BLONllaTvmHfe1KNm0icfZEuiNO<font%20size=50>DEFACED<!--//--: MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version.<br>
+ 3582 items checked: 4 item(s) reported on remote host<br>+ End Time: 2010-01-19 9:13:09 (24 seconds)<br>---------------------------------------------------------------------------<br><br>As I suspected the server is vulnerable to HTML injection but as far as I can tell MyWebServer is not running on the server and there is no Linux version of the application.<br>
<br>Any ideas on why Nikto is reporting this?<br><br>Regards<br>Rudi<br><br><br><br><br>