Apache/PHP Security Help.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Ajay Sharma wrote:

>
> I have a personal apache/mail server that is getting hacked and I'm 
> not sure how the person is getting in.  What's happening is that every 
> few days, the below script will show up in /tmp as 'dc.txt', owned by 
> apache and then a TON of mail is queued up to a bunch of addresses in 
> @uol.com.br.
>
> I initially thought they got in becuase I had an outdated version of 
> 'gallery' installed.  I rebuild the server and update gallery and 
> thought I should be okay.  But now they are still getting in and 
> instead of blindly rebuilding the server, I need to figure out how 
> they are able to run perl scripts on the server.
>
> Any suggestions?
>
> --Ajay
>
> PS.  This is a CentOS 4.2 box running the latest apache/php RPMS.
>
I had someone do the same thing on a colocated box I have.  Turns out I 
had an old version of PHPix (also a photo gallery) which someone was 
able to exploit.  I discovered it by looking at the timestamp of the 
file(s) in /tmp  (or /var/tmp in my case), and the start time for the 
processes (other than httpd) that were running as the "apache" user.  
Then, looking at the apache access_log, it was obvious which script was 
being exploited...

-Greg

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux