Ajay Sharma wrote:
>
> I have a personal apache/mail server that is getting hacked and I'm
> not sure how the person is getting in. What's happening is that every
> few days, the below script will show up in /tmp as 'dc.txt', owned by
> apache and then a TON of mail is queued up to a bunch of addresses in
> @uol.com.br.
>
> I initially thought they got in becuase I had an outdated version of
> 'gallery' installed. I rebuild the server and update gallery and
> thought I should be okay. But now they are still getting in and
> instead of blindly rebuilding the server, I need to figure out how
> they are able to run perl scripts on the server.
>
> Any suggestions?
>
> --Ajay
>
> PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
>
I had someone do the same thing on a colocated box I have. Turns out I
had an old version of PHPix (also a photo gallery) which someone was
able to exploit. I discovered it by looking at the timestamp of the
file(s) in /tmp (or /var/tmp in my case), and the start time for the
processes (other than httpd) that were running as the "apache" user.
Then, looking at the apache access_log, it was obvious which script was
being exploited...
-Greg
