Jason Bradley Nance wrote:
My question is why is this happening? Obviously it's some apache
exploit.
I wouldn't jump to the conclusion that it's an Apache exploit. It's
more likely to be an issue with an insecure script assuming they are
even coming in through the web server.
Meaning an insecure PHP form or the like? Any general words of wisdom
on how to ensure the my PHP forms are secure? I'm more than happy to
read up on this, but I just haven't found any material that seems to
describe my problem.
A few questions:
1) What makes you think this is an Apache issue?
All the files are owned by user apache and the perl process that is
sending the spam is running as user apache. I know this could be faked
if the hacker has root access, but I don't think that is the case.
2) What other services are running on the box?
I have three open ports, SSH, HTTPD and IMAP (running on a nonstandard port)
3) How did you clean up after the first hack?
Killed the process removed the files. Used RPM to verify the integrity
of all the binaries on the system.
4) Are you sure that a user account hasn't been cracked?
Again I don't think so, but it's very hard to prove a negative, that is
it's very hard to prove that you haven't been hacked. I check all the
usual things such as the last log, again if they have root they can hide
this from me, but I don't think that's the case.
5) Do you allow root logins via ssh?
Absolutely not.
Thanks,
Matt
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
