[CentOS] Apache/PHP Security Help.

Wed Nov 30 15:30:31 UTC 2005
John Hinton <webmaster at ew3d.com>

Greg Bailey wrote:

> Ajay Sharma wrote:
>
>>
>> I have a personal apache/mail server that is getting hacked and I'm 
>> not sure how the person is getting in.  What's happening is that 
>> every few days, the below script will show up in /tmp as 'dc.txt', 
>> owned by apache and then a TON of mail is queued up to a bunch of 
>> addresses in @uol.com.br.
>>
>> I initially thought they got in becuase I had an outdated version of 
>> 'gallery' installed.  I rebuild the server and update gallery and 
>> thought I should be okay.  But now they are still getting in and 
>> instead of blindly rebuilding the server, I need to figure out how 
>> they are able to run perl scripts on the server.
>>
>> Any suggestions?
>>
>> --Ajay
>>
>> PS.  This is a CentOS 4.2 box running the latest apache/php RPMS.
>>
> I had someone do the same thing on a colocated box I have.  Turns out 
> I had an old version of PHPix (also a photo gallery) which someone was 
> able to exploit.  I discovered it by looking at the timestamp of the 
> file(s) in /tmp  (or /var/tmp in my case), and the start time for the 
> processes (other than httpd) that were running as the "apache" user.  
> Then, looking at the apache access_log, it was obvious which script 
> was being exploited...
>
> -Greg

Same deal here. It had to do with have globals on in php. Also, the 
script lived in /tmp but was in a hidden directory, so be sure to run ls 
-al. I've forgotten the directory name...  .something. I found in there 
the script, a zip file, tons of email addresses and so on. I removed it 
but it came back pretty quickly. If I recall, it first happened with a 
photo upload script and then they moved to a blog or forum script the 
user was running. Lots of Brazilian email addresses were involved and 
the mqueue was so full, that rm * would not work. I had to dump 
thousands at a time instead of the whole queue at once.

It is a good idea to go ahead and shut down sendmail or whichever you 
use as your loads will get out of hand.

Best,
John Hinton