[CentOS] Apache Security
Greg Bailey
gbailey at lxpro.com
Thu Jun 22 17:17:18 UTC 2006
Matthew T. O'Connor wrote:
> Hello, I have a server running CentOS 4.3 with all the latest updates.
> The server in question has been hacked by spammers a few times. The
> details of the hack have been basically the same every time. I find
> some directory created by the apache user account in /tmp. The new
> directory contains an html file, and a list of email addresses to spam
> and a perl script that spams all those email addresses with the html
> file.
>
> My question is why is this happening? Obviously it's some apache
> exploit. I have removed mod_perl, that didn't help. I have now
> changed the permissions on the perl executable, that might help we
> will see, but that doesn't address the core problem. How is it that
> someone can upload arbitrary files to my server and then execute an
> arbitrary command via apache.
>
> Is this a know problem? Have others seen it? What can I do to help
> prevent this?
>
> Thanks,
>
> Matt
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Usually, I've seen this as the result of an insecure PHP script. I've
also seen files in /tmp or /var/tmp owned by apache, and usually there's
a few processes running as the "apache" user. Typically, the timestamps
on those files match the start time of the rogue apache processes, and
then I go looking through the httpd access log and can find what script
was exploited based on the time of the request...
-Greg
More information about the CentOS
mailing list