[CentOS] Apache/PHP Security Help.
John Hinton
webmaster at ew3d.com
Wed Nov 30 15:30:31 UTC 2005
Greg Bailey wrote:
> Ajay Sharma wrote:
>
>>
>> I have a personal apache/mail server that is getting hacked and I'm
>> not sure how the person is getting in. What's happening is that
>> every few days, the below script will show up in /tmp as 'dc.txt',
>> owned by apache and then a TON of mail is queued up to a bunch of
>> addresses in @uol.com.br.
>>
>> I initially thought they got in becuase I had an outdated version of
>> 'gallery' installed. I rebuild the server and update gallery and
>> thought I should be okay. But now they are still getting in and
>> instead of blindly rebuilding the server, I need to figure out how
>> they are able to run perl scripts on the server.
>>
>> Any suggestions?
>>
>> --Ajay
>>
>> PS. This is a CentOS 4.2 box running the latest apache/php RPMS.
>>
> I had someone do the same thing on a colocated box I have. Turns out
> I had an old version of PHPix (also a photo gallery) which someone was
> able to exploit. I discovered it by looking at the timestamp of the
> file(s) in /tmp (or /var/tmp in my case), and the start time for the
> processes (other than httpd) that were running as the "apache" user.
> Then, looking at the apache access_log, it was obvious which script
> was being exploited...
>
> -Greg
Same deal here. It had to do with have globals on in php. Also, the
script lived in /tmp but was in a hidden directory, so be sure to run ls
-al. I've forgotten the directory name... .something. I found in there
the script, a zip file, tons of email addresses and so on. I removed it
but it came back pretty quickly. If I recall, it first happened with a
photo upload script and then they moved to a blog or forum script the
user was running. Lots of Brazilian email addresses were involved and
the mqueue was so full, that rm * would not work. I had to dump
thousands at a time instead of the whole queue at once.
It is a good idea to go ahead and shut down sendmail or whichever you
use as your loads will get out of hand.
Best,
John Hinton
More information about the CentOS
mailing list