[CentOS] Apache Security
Mike Kercher
mike at vesol.com
Thu Jun 22 17:24:38 UTC 2006
centos-bounces at centos.org <> scribbled on Thursday, June 22, 2006 12:21
PM:
> Jason Bradley Nance wrote:
>>> My question is why is this happening? Obviously it's some apache
>>> exploit.
>>
>> I wouldn't jump to the conclusion that it's an Apache
> exploit. It's
>> more likely to be an issue with an insecure script assuming
> they are
>> even coming in through the web server.
>
> Meaning an insecure PHP form or the like? Any general words
> of wisdom on how to ensure the my PHP forms are secure? I'm
> more than happy to read up on this, but I just haven't found
> any material that seems to describe my problem.
>
>> A few questions:
>>
>> 1) What makes you think this is an Apache issue?
>
> All the files are owned by user apache and the perl process
> that is sending the spam is running as user apache. I know
> this could be faked if the hacker has root access, but I
> don't think that is the case.
>
>> 2) What other services are running on the box?
>
> I have three open ports, SSH, HTTPD and IMAP (running on a
> nonstandard port)
>
>> 3) How did you clean up after the first hack?
>
> Killed the process removed the files. Used RPM to verify the
> integrity of all the binaries on the system.
>
>> 4) Are you sure that a user account hasn't been cracked?
>
> Again I don't think so, but it's very hard to prove a
> negative, that is it's very hard to prove that you haven't
> been hacked. I check all the usual things such as the last
> log, again if they have root they can hide this from me, but
> I don't think that's the case.
>
>> 5) Do you allow root logins via ssh?
>
> Absolutely not.
>
>
> http://lists.centos.org/mailman/listinfo/centos
One thing I would make sure of is that register_globals = Off is set in
/etc/php.ini
Looking through your apache logs, as someone else suggested, should help
you find which php script was exploited.
Mike
More information about the CentOS
mailing list