[CentOS] Apache Security

Thu Jun 22 17:17:18 UTC 2006
Greg Bailey <gbailey at lxpro.com>

Matthew T. O'Connor wrote:

> Hello, I have a server running CentOS 4.3 with all the latest updates. 
> The server in question has been hacked by spammers a few times.  The 
> details of the hack have been basically the same every time.  I find 
> some directory created by the apache user account in /tmp.  The new 
> directory contains an html file, and a list of email addresses to spam 
> and a perl script that spams all those email addresses with the html 
> file.
>
> My question is why is this happening?  Obviously it's some apache 
> exploit.  I have removed mod_perl, that didn't help.  I have now 
> changed the permissions on the perl executable, that might help we 
> will see, but that doesn't address the core problem.  How is it that 
> someone can upload arbitrary files to my server and then execute an 
> arbitrary command via apache.
>
> Is this a know problem?  Have others seen it?  What can I do to help 
> prevent this?
>
> Thanks,
>
> Matt
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Usually, I've seen this as the result of an insecure PHP script.  I've 
also seen files in /tmp or /var/tmp owned by apache, and usually there's 
a few processes running as the "apache" user.  Typically, the timestamps 
on those files match the start time of the rogue apache processes, and 
then I go looking through the httpd access log and can find what script 
was exploited based on the time of the request...

-Greg