[CentOS] Apache Security

Thu Jun 22 17:16:53 UTC 2006
Nicolas Ross <rossnick-lists at cybercat.ca>

> Hello, I have a server running CentOS 4.3 with all the latest updates. The 
> server in question has been hacked by spammers a few times.  The details 
> of the hack have been basically the same every time.  I find some 
> directory created by the apache user account in /tmp.  The new directory 
> contains an html file, and a list of email addresses to spam and a perl 
> script that spams all those email addresses with the html file.
>
> My question is why is this happening?  Obviously it's some apache exploit. 
> I have removed mod_perl, that didn't help.  I have now changed the 
> permissions on the perl executable, that might help we will see, but that 
> doesn't address the core problem.  How is it that someone can upload 
> arbitrary files to my server and then execute an arbitrary command via 
> apache.
>
> Is this a know problem?  Have others seen it?  What can I do to help 
> prevent this?

I've also been hacked a couple of times with this sort of exploits. In my 
case, il was an exploit in awstats, a weblog analyser. If you have it, I 
strongly suggest you get up to the latest version...

Also, if you have php scripts installed, they are a frequent source of 
security holes.s

Nicolas