[CentOS] Apache Security

centos-bounces at centos.org <> scribbled on Thursday, June 22, 2006 11:53
AM:

> Hello, I have a server running CentOS 4.3 with all the latest
> updates.
> The server in question has been hacked by spammers a few
> times.  The details of the hack have been basically the same
> every time.  I find some directory created by the apache user
> account in /tmp.  The new directory contains an html file,
> and a list of email addresses to spam and a perl script that
> spams all those email addresses with the html file.
> 
> My question is why is this happening?  Obviously it's some
> apache exploit.  I have removed mod_perl, that didn't help.
> I have now changed the permissions on the perl executable,
> that might help we will see, but that doesn't address the
> core problem.  How is it that someone can upload arbitrary
> files to my server and then execute an arbitrary command via apache.
> 
> Is this a know problem?  Have others seen it?  What can I do
> to help prevent this?
> 
> Thanks,
> 
> Matt
> _______________________________________________


Here's what I do on my servers to secure /tmp:

dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=524288
mke2fs -j /usr/tmpDSK
/etc/init.d/mysql* stop
mkdir /tmp_backup
cd /tmp
mv * /tmp_backup
mv .* /tmp_backup
echo "/usr/tmpDSK /tmp ext3 loop,rw,noexec,nosuid,nodev 0 0" >>
/etc/fstab
cd /tmp_backup
rm -rf /tmp
mkdir /tmp
mount /usr/tmpDSK
chmod 1777 /tmp
mv * /tmp
mv .* /tmp
cd /tmp
rm -rf /tmp_backup
/etc/init.d/mysql* start

Mike