centos-bounces at centos.org <> scribbled on Thursday, June 22, 2006 11:53 AM: > Hello, I have a server running CentOS 4.3 with all the latest > updates. > The server in question has been hacked by spammers a few > times. The details of the hack have been basically the same > every time. I find some directory created by the apache user > account in /tmp. The new directory contains an html file, > and a list of email addresses to spam and a perl script that > spams all those email addresses with the html file. > > My question is why is this happening? Obviously it's some > apache exploit. I have removed mod_perl, that didn't help. > I have now changed the permissions on the perl executable, > that might help we will see, but that doesn't address the > core problem. How is it that someone can upload arbitrary > files to my server and then execute an arbitrary command via apache. > > Is this a know problem? Have others seen it? What can I do > to help prevent this? > > Thanks, > > Matt > _______________________________________________ Here's what I do on my servers to secure /tmp: dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=524288 mke2fs -j /usr/tmpDSK /etc/init.d/mysql* stop mkdir /tmp_backup cd /tmp mv * /tmp_backup mv .* /tmp_backup echo "/usr/tmpDSK /tmp ext3 loop,rw,noexec,nosuid,nodev 0 0" >> /etc/fstab cd /tmp_backup rm -rf /tmp mkdir /tmp mount /usr/tmpDSK chmod 1777 /tmp mv * /tmp mv .* /tmp cd /tmp rm -rf /tmp_backup /etc/init.d/mysql* start Mike