Re: [CentOS] Apache Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Matthew T. O'Connor wrote:

Hello, I have a server running CentOS 4.3 with all the latest updates. The server in question has been hacked by spammers a few times. The details of the hack have been basically the same every time. I find some directory created by the apache user account in /tmp. The new directory contains an html file, and a list of email addresses to spam and a perl script that spams all those email addresses with the html file.

My question is why is this happening? Obviously it's some apache exploit. I have removed mod_perl, that didn't help. I have now changed the permissions on the perl executable, that might help we will see, but that doesn't address the core problem. How is it that someone can upload arbitrary files to my server and then execute an arbitrary command via apache.

Is this a know problem? Have others seen it? What can I do to help prevent this?

Thanks,

Matt
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

Usually, I've seen this as the result of an insecure PHP script. I've also seen files in /tmp or /var/tmp owned by apache, and usually there's a few processes running as the "apache" user. Typically, the timestamps on those files match the start time of the rogue apache processes, and then I go looking through the httpd access log and can find what script was exploited based on the time of the request...

-Greg
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux