[CentOS] Apache Security

Thu Jun 22 17:24:38 UTC 2006
Mike Kercher <mike at vesol.com>

centos-bounces at centos.org <> scribbled on Thursday, June 22, 2006 12:21
PM:

> Jason Bradley Nance wrote:
>>> My question is why is this happening?  Obviously it's some apache
>>> exploit.
>> 
>> I wouldn't jump to the conclusion that it's an Apache
> exploit.  It's
>> more likely to be an issue with an insecure script assuming
> they are
>> even coming in through the web server.
> 
> Meaning an insecure PHP form or the like?  Any general words
> of wisdom on how to ensure the my PHP forms are secure?  I'm
> more than happy to read up on this, but I just haven't found
> any material that seems to describe my problem.
> 
>> A few questions:
>> 
>> 1) What makes you think this is an Apache issue?
> 
> All the files are owned by user apache and the perl process
> that is sending the spam is running as user apache.  I know
> this could be faked if the hacker has root access, but I
> don't think that is the case.
> 
>> 2) What other services are running on the box?
> 
> I have three open ports, SSH, HTTPD and IMAP (running on a
> nonstandard port)
> 
>> 3) How did you clean up after the first hack?
> 
> Killed the process removed the files.  Used RPM to verify the
> integrity of all the binaries on the system.
> 
>> 4) Are you sure that a user account hasn't been cracked?
> 
> Again I don't think so, but it's very hard to prove a
> negative, that is it's very hard to prove that you haven't
> been hacked.  I check all the usual things such as the last
> log, again if they have root they can hide this from me, but
> I don't think that's the case.
> 
>> 5) Do you allow root logins via ssh?
> 
> Absolutely not.
> 
> 
> http://lists.centos.org/mailman/listinfo/centos

One thing I would make sure of is that register_globals = Off is set in
/etc/php.ini

Looking through your apache logs, as someone else suggested, should help
you find which php script was exploited.

Mike