[CentOS] Apache/PHP Security Help.

Greg Bailey gbailey at lxpro.com
Wed Nov 30 14:08:09 UTC 2005

Ajay Sharma wrote:

> I have a personal apache/mail server that is getting hacked and I'm 
> not sure how the person is getting in.  What's happening is that every 
> few days, the below script will show up in /tmp as 'dc.txt', owned by 
> apache and then a TON of mail is queued up to a bunch of addresses in 
> @uol.com.br.
> I initially thought they got in becuase I had an outdated version of 
> 'gallery' installed.  I rebuild the server and update gallery and 
> thought I should be okay.  But now they are still getting in and 
> instead of blindly rebuilding the server, I need to figure out how 
> they are able to run perl scripts on the server.
> Any suggestions?
> --Ajay
> PS.  This is a CentOS 4.2 box running the latest apache/php RPMS.
I had someone do the same thing on a colocated box I have.  Turns out I 
had an old version of PHPix (also a photo gallery) which someone was 
able to exploit.  I discovered it by looking at the timestamp of the 
file(s) in /tmp  (or /var/tmp in my case), and the start time for the 
processes (other than httpd) that were running as the "apache" user.  
Then, looking at the apache access_log, it was obvious which script was 
being exploited...


More information about the CentOS mailing list