[CentOS] Apache Security

Sat Jul 8 05:02:16 UTC 2006
Nick <list at everywhereinternet.com>

Karanbir Singh wrote:
> Matthew T. O'Connor wrote:
>> Hello, I have a server running CentOS 4.3 with all the latest updates.
>> The server in question has been hacked by spammers a few times.  The
>> details of the hack have been basically the same every time.  I find
>> some directory created by the apache user account in /tmp.  The new
>> directory contains an html file, and a list of email addresses to spam
>> and a perl script that spams all those email addresses with the html file.
> sounds like scripts and bad code on the web-doc-root being exploited.
> consder enabling SELinux. this is the sort of thing that selinux was
> meant to prevent, and does a very good job of it.
I'll second that. SEL does a great job at stopping random daemons being 
run on random ports...

I recently had exactly the same issue with a box being exploited to 
install phishing scripts and it ended up being a security problem in a 
PHP application called UBBthreads (forum software). There was a security 
patch available i just hadn't been on the ball and got it installed in time.

Other things to look at are stopping outbound http to random hosts (if 
you can) as its often the method the scripts get downloaded with. Also 
renaming apps such as wget or curl or stopping them being accessed as 
non root users can also help.