[CentOS] Apache Security

Thu Jun 22 17:21:09 UTC 2006
Matthew T. O'Connor <matthew at zeut.net>

Jason Bradley Nance wrote:
>> My question is why is this happening?  Obviously it's some apache 
>> exploit.
> 
> I wouldn't jump to the conclusion that it's an Apache exploit.  It's 
> more likely to be an issue with an insecure script assuming they are 
> even coming in through the web server.

Meaning an insecure PHP form or the like?  Any general words of wisdom 
on how to ensure the my PHP forms are secure?  I'm more than happy to 
read up on this, but I just haven't found any material that seems to 
describe my problem.

> A few questions:
> 
> 1) What makes you think this is an Apache issue?

All the files are owned by user apache and the perl process that is 
sending the spam is running as user apache.  I know this could be faked 
if the hacker has root access, but I don't think that is the case.

> 2) What other services are running on the box?

I have three open ports, SSH, HTTPD and IMAP (running on a nonstandard port)

> 3) How did you clean up after the first hack?

Killed the process removed the files.  Used RPM to verify the integrity 
of all the binaries on the system.

> 4) Are you sure that a user account hasn't been cracked?

Again I don't think so, but it's very hard to prove a negative, that is 
it's very hard to prove that you haven't been hacked.  I check all the 
usual things such as the last log, again if they have root they can hide 
this from me, but I don't think that's the case.

> 5) Do you allow root logins via ssh?

Absolutely not.


Thanks,

Matt