centos-bounces@centos.org <> scribbled on Thursday, June 22, 2006 12:21 PM:
Jason Bradley Nance wrote:
My question is why is this happening? Obviously it's some apache exploit.
I wouldn't jump to the conclusion that it's an Apache
exploit. It's
more likely to be an issue with an insecure script assuming
they are
even coming in through the web server.
Meaning an insecure PHP form or the like? Any general words of wisdom on how to ensure the my PHP forms are secure? I'm more than happy to read up on this, but I just haven't found any material that seems to describe my problem.
A few questions:
- What makes you think this is an Apache issue?
All the files are owned by user apache and the perl process that is sending the spam is running as user apache. I know this could be faked if the hacker has root access, but I don't think that is the case.
- What other services are running on the box?
I have three open ports, SSH, HTTPD and IMAP (running on a nonstandard port)
- How did you clean up after the first hack?
Killed the process removed the files. Used RPM to verify the integrity of all the binaries on the system.
- Are you sure that a user account hasn't been cracked?
Again I don't think so, but it's very hard to prove a negative, that is it's very hard to prove that you haven't been hacked. I check all the usual things such as the last log, again if they have root they can hide this from me, but I don't think that's the case.
- Do you allow root logins via ssh?
Absolutely not.
One thing I would make sure of is that register_globals = Off is set in /etc/php.ini
Looking through your apache logs, as someone else suggested, should help you find which php script was exploited.
Mike