Matthew T. O'Connor wrote: > Hello, I have a server running CentOS 4.3 with all the latest updates. > The server in question has been hacked by spammers a few times. The > details of the hack have been basically the same every time. I find > some directory created by the apache user account in /tmp. The new > directory contains an html file, and a list of email addresses to spam > and a perl script that spams all those email addresses with the html > file. > > My question is why is this happening? Obviously it's some apache > exploit. I have removed mod_perl, that didn't help. I have now > changed the permissions on the perl executable, that might help we > will see, but that doesn't address the core problem. How is it that > someone can upload arbitrary files to my server and then execute an > arbitrary command via apache. > > Is this a know problem? Have others seen it? What can I do to help > prevent this? > > Thanks, > > Matt > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos Usually, I've seen this as the result of an insecure PHP script. I've also seen files in /tmp or /var/tmp owned by apache, and usually there's a few processes running as the "apache" user. Typically, the timestamps on those files match the start time of the rogue apache processes, and then I go looking through the httpd access log and can find what script was exploited based on the time of the request... -Greg