Karanbir Singh wrote:
Matthew T. O'Connor wrote:
Hello, I have a server running CentOS 4.3 with all the latest updates. The server in question has been hacked by spammers a few times. The details of the hack have been basically the same every time. I find some directory created by the apache user account in /tmp. The new directory contains an html file, and a list of email addresses to spam and a perl script that spams all those email addresses with the html file.
sounds like scripts and bad code on the web-doc-root being exploited.
consder enabling SELinux. this is the sort of thing that selinux was meant to prevent, and does a very good job of it.
I'll second that. SEL does a great job at stopping random daemons being run on random ports...
I recently had exactly the same issue with a box being exploited to install phishing scripts and it ended up being a security problem in a PHP application called UBBthreads (forum software). There was a security patch available i just hadn't been on the ball and got it installed in time.
Other things to look at are stopping outbound http to random hosts (if you can) as its often the method the scripts get downloaded with. Also renaming apps such as wget or curl or stopping them being accessed as non root users can also help.