On Fri, Aug 21, 2009 at 04:08:43PM -0500, Gregory P. Ennis wrote: > Everyone, > > This morning I received a notice from PayPal that one of our sites got > hacked and was spoofing a PayPal web site. > > When I checked the the site, I was surprised to find they were correct. > About 5 days a go we had a server that got hacked and somehow the file > paypal.com.tar got uploaded to our server and then stored in a a > subdirectory of /var/www/. > > I had previously started a mysqld server and planned on using it for web > authorizations. I had not been able to work on it, but left it in > place. I looked like the hacker downloaded his paypal spoof files into > a subdirectory of /var/www/phpmyadmin. > > I am running 5.3 with all current updates. > > I do not have telnet or ftp active on this server, and have password > authentication of sshd turned off. > > I have tried to obtain dialog with PayPal about this but they have not > responded to my queries. If any of you have had some experience with > this I would be interested in knowing how this may have happened. I > have shutdown the mysqld server as well as removed access in httpd.conf > of the /var/www/phpmyadmin directory in order to shutdown the spoofing > site. > > If any of you have a leg up on this I would appreciate your help. Some advice (assuming the culprit here is phpMyAdmin): - Keep phpMyAdmin up to date. Best way to do this is to use a package from a well known repository like EPEL that keeps the package at the latest version for you. - Run with SELinux Enforcing - Protect phpMyAdmin with Basic HTTP authentication instead of relying only on phpMyAdmin's authentication which does nothing to prevent the exploitation of many URL-based vulnerabilities. Ray