centos-bounces@centos.org <> scribbled on Thursday, June 22, 2006 11:53 AM:
Hello, I have a server running CentOS 4.3 with all the latest updates. The server in question has been hacked by spammers a few times. The details of the hack have been basically the same every time. I find some directory created by the apache user account in /tmp. The new directory contains an html file, and a list of email addresses to spam and a perl script that spams all those email addresses with the html file.
My question is why is this happening? Obviously it's some apache exploit. I have removed mod_perl, that didn't help. I have now changed the permissions on the perl executable, that might help we will see, but that doesn't address the core problem. How is it that someone can upload arbitrary files to my server and then execute an arbitrary command via apache.
Is this a know problem? Have others seen it? What can I do to help prevent this?
Thanks,
Matt _______________________________________________
Here's what I do on my servers to secure /tmp:
dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=524288 mke2fs -j /usr/tmpDSK /etc/init.d/mysql* stop mkdir /tmp_backup cd /tmp mv * /tmp_backup mv .* /tmp_backup echo "/usr/tmpDSK /tmp ext3 loop,rw,noexec,nosuid,nodev 0 0" >> /etc/fstab cd /tmp_backup rm -rf /tmp mkdir /tmp mount /usr/tmpDSK chmod 1777 /tmp mv * /tmp mv .* /tmp cd /tmp rm -rf /tmp_backup /etc/init.d/mysql* start
Mike