[CentOS] Apache Security
mike.redan at bell.ca
mike.redan at bell.ca
Thu Jun 22 16:58:28 UTC 2006
Hello, I have a server running CentOS 4.3 with all the latest updates.
The server in question has been hacked by spammers a few times. The
details of the hack have been basically the same every time. I find
some directory created by the apache user account in /tmp. The new
directory contains an html file, and a list of email addresses to spam
and a perl script that spams all those email addresses with the html
file.
My question is why is this happening? Obviously it's some apache
exploit.
Why is this obvious? What else is exposed to the internet on this
server? They could be coming in another way, then creating files owned
by the apache user to make it look like an Apache problem.
Is SSH exposed to the internet? Maybe there is a user with a weak
password or something.
I have removed mod_perl, that didn't help. I have now changed
the permissions on the perl executable, that might help we will see, but
that doesn't address the core problem. How is it that someone can
upload arbitrary files to my server and then execute an arbitrary
command via apache.
What is exposed via apache? Are there any custom applications/CGI's?
Is this a know problem? Have others seen it? What can I do to help
prevent this?
Thanks,
Matt
_______________________________________________
CentOS mailing list
CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list