Greg Bailey wrote:
> Ajay Sharma wrote:
>
>>
>> I have a personal apache/mail server that is getting hacked and I'm
>> not sure how the person is getting in. What's happening is that
>> every few days, the below script will show up in /tmp as 'dc.txt',
>> owned by apache and then a TON of mail is queued up to a bunch of
>> addresses in @uol.com.br.
>>
>> I initially thought they got in becuase I had an outdated version of
>> 'gallery' installed. I rebuild the server and update gallery and
>> thought I should be okay. But now they are still getting in and
>> instead of blindly rebuilding the server, I need to figure out how
>> they are able to run perl scripts on the server.
>>
>> Any suggestions?
>>
>> --Ajay
>>
>> PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
>>
> I had someone do the same thing on a colocated box I have. Turns out
> I had an old version of PHPix (also a photo gallery) which someone was
> able to exploit. I discovered it by looking at the timestamp of the
> file(s) in /tmp (or /var/tmp in my case), and the start time for the
> processes (other than httpd) that were running as the "apache" user.
> Then, looking at the apache access_log, it was obvious which script
> was being exploited...
>
> -Greg
Same deal here. It had to do with have globals on in php. Also, the
script lived in /tmp but was in a hidden directory, so be sure to run ls
-al. I've forgotten the directory name... .something. I found in there
the script, a zip file, tons of email addresses and so on. I removed it
but it came back pretty quickly. If I recall, it first happened with a
photo upload script and then they moved to a blog or forum script the
user was running. Lots of Brazilian email addresses were involved and
the mqueue was so full, that rm * would not work. I had to dump
thousands at a time instead of the whole queue at once.
It is a good idea to go ahead and shut down sendmail or whichever you
use as your loads will get out of hand.
Best,
John Hinton
