Greg Bailey wrote: > Ajay Sharma wrote: > >> >> I have a personal apache/mail server that is getting hacked and I'm >> not sure how the person is getting in. What's happening is that >> every few days, the below script will show up in /tmp as 'dc.txt', >> owned by apache and then a TON of mail is queued up to a bunch of >> addresses in @uol.com.br. >> >> I initially thought they got in becuase I had an outdated version of >> 'gallery' installed. I rebuild the server and update gallery and >> thought I should be okay. But now they are still getting in and >> instead of blindly rebuilding the server, I need to figure out how >> they are able to run perl scripts on the server. >> >> Any suggestions? >> >> --Ajay >> >> PS. This is a CentOS 4.2 box running the latest apache/php RPMS. >> > I had someone do the same thing on a colocated box I have. Turns out > I had an old version of PHPix (also a photo gallery) which someone was > able to exploit. I discovered it by looking at the timestamp of the > file(s) in /tmp (or /var/tmp in my case), and the start time for the > processes (other than httpd) that were running as the "apache" user. > Then, looking at the apache access_log, it was obvious which script > was being exploited... > > -Greg Same deal here. It had to do with have globals on in php. Also, the script lived in /tmp but was in a hidden directory, so be sure to run ls -al. I've forgotten the directory name... .something. I found in there the script, a zip file, tons of email addresses and so on. I removed it but it came back pretty quickly. If I recall, it first happened with a photo upload script and then they moved to a blog or forum script the user was running. Lots of Brazilian email addresses were involved and the mqueue was so full, that rm * would not work. I had to dump thousands at a time instead of the whole queue at once. It is a good idea to go ahead and shut down sendmail or whichever you use as your loads will get out of hand. Best, John Hinton