Apache/PHP Security Help.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Greg Bailey wrote:
> Ajay Sharma wrote:
> 
>>
>> I have a personal apache/mail server that is getting hacked and I'm 
>> not sure how the person is getting in.  What's happening is that every 
>> few days, the below script will show up in /tmp as 'dc.txt', owned by 
>> apache and then a TON of mail is queued up to a bunch of addresses in 
>> @uol.com.br.
>>
>> I initially thought they got in becuase I had an outdated version of 
>> 'gallery' installed.  I rebuild the server and update gallery and 
>> thought I should be okay.  But now they are still getting in and 
>> instead of blindly rebuilding the server, I need to figure out how 
>> they are able to run perl scripts on the server.
>>
>> Any suggestions?
>>
>> --Ajay
>>
>> PS.  This is a CentOS 4.2 box running the latest apache/php RPMS.
>>
> I had someone do the same thing on a colocated box I have.  Turns out I 
> had an old version of PHPix (also a photo gallery) which someone was 
> able to exploit.  I discovered it by looking at the timestamp of the 
> file(s) in /tmp  (or /var/tmp in my case), and the start time for the 
> processes (other than httpd) that were running as the "apache" user.  
> Then, looking at the apache access_log, it was obvious which script was 
> being exploited...

Thanks for the tip.  I checked the /tmp folder closely and found a '...' 
directory.  Why I didn't notice that first is beyond me.  Anyway, it I 
saw the date and found the bunk script.  Aparently it was a busted copy 
of WebCalendar:  http://www.k5n.us/webcalendar.php

--Ajay

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux