Hello, I have a server running CentOS 4.3 with all the latest updates. The server in question has been hacked by spammers a few times. The details of the hack have been basically the same every time. I find some directory created by the apache user account in /tmp. The new directory contains an html file, and a list of email addresses to spam and a perl script that spams all those email addresses with the html file. My question is why is this happening? Obviously it's some apache exploit. I have removed mod_perl, that didn't help. I have now changed the permissions on the perl executable, that might help we will see, but that doesn't address the core problem. How is it that someone can upload arbitrary files to my server and then execute an arbitrary command via apache. Is this a know problem? Have others seen it? What can I do to help prevent this? Thanks, Matt
Hello, I have a server running CentOS 4.3 with all the latest updates. The server in question has been hacked by spammers a few times. The details of the hack have been basically the same every time. I find some directory created by the apache user account in /tmp. The new directory contains an html file, and a list of email addresses to spam and a perl script that spams all those email addresses with the html file. My question is why is this happening? Obviously it's some apache exploit. Why is this obvious? What else is exposed to the internet on this server? They could be coming in another way, then creating files owned by the apache user to make it look like an Apache problem. Is SSH exposed to the internet? Maybe there is a user with a weak password or something. I have removed mod_perl, that didn't help. I have now changed the permissions on the perl executable, that might help we will see, but that doesn't address the core problem. How is it that someone can upload arbitrary files to my server and then execute an arbitrary command via apache. What is exposed via apache? Are there any custom applications/CGI's? Is this a know problem? Have others seen it? What can I do to help prevent this? Thanks, Matt _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
> My question is why is this happening? Obviously it's some apache > exploit.I wouldn't jump to the conclusion that it's an Apache exploit. It's more likely to be an issue with an insecure script assuming they are even coming in through the web server. A few questions: 1) What makes you think this is an Apache issue? 2) What other services are running on the box? 3) How did you clean up after the first hack? 4) Are you sure that a user account hasn't been cracked? 5) Do you allow root logins via ssh?
centos-bounces at centos.org <> scribbled on Thursday, June 22, 2006 11:53 AM:> Hello, I have a server running CentOS 4.3 with all the latest > updates. > The server in question has been hacked by spammers a few > times. The details of the hack have been basically the same > every time. I find some directory created by the apache user > account in /tmp. The new directory contains an html file, > and a list of email addresses to spam and a perl script that > spams all those email addresses with the html file. > > My question is why is this happening? Obviously it's some > apache exploit. I have removed mod_perl, that didn't help. > I have now changed the permissions on the perl executable, > that might help we will see, but that doesn't address the > core problem. How is it that someone can upload arbitrary > files to my server and then execute an arbitrary command via apache. > > Is this a know problem? Have others seen it? What can I do > to help prevent this? > > Thanks, > > Matt > _______________________________________________Here's what I do on my servers to secure /tmp: dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=524288 mke2fs -j /usr/tmpDSK /etc/init.d/mysql* stop mkdir /tmp_backup cd /tmp mv * /tmp_backup mv .* /tmp_backup echo "/usr/tmpDSK /tmp ext3 loop,rw,noexec,nosuid,nodev 0 0" >> /etc/fstab cd /tmp_backup rm -rf /tmp mkdir /tmp mount /usr/tmpDSK chmod 1777 /tmp mv * /tmp mv .* /tmp cd /tmp rm -rf /tmp_backup /etc/init.d/mysql* start Mike
> Hello, I have a server running CentOS 4.3 with all the latest updates. The > server in question has been hacked by spammers a few times. The details > of the hack have been basically the same every time. I find some > directory created by the apache user account in /tmp. The new directory > contains an html file, and a list of email addresses to spam and a perl > script that spams all those email addresses with the html file. > > My question is why is this happening? Obviously it's some apache exploit. > I have removed mod_perl, that didn't help. I have now changed the > permissions on the perl executable, that might help we will see, but that > doesn't address the core problem. How is it that someone can upload > arbitrary files to my server and then execute an arbitrary command via > apache. > > Is this a know problem? Have others seen it? What can I do to help > prevent this?I've also been hacked a couple of times with this sort of exploits. In my case, il was an exploit in awstats, a weblog analyser. If you have it, I strongly suggest you get up to the latest version... Also, if you have php scripts installed, they are a frequent source of security holes.s Nicolas
Matthew T. O'Connor wrote:> Hello, I have a server running CentOS 4.3 with all the latest updates. > The server in question has been hacked by spammers a few times. The > details of the hack have been basically the same every time. I find > some directory created by the apache user account in /tmp. The new > directory contains an html file, and a list of email addresses to spam > and a perl script that spams all those email addresses with the html > file. > > My question is why is this happening? Obviously it's some apache > exploit. I have removed mod_perl, that didn't help. I have now > changed the permissions on the perl executable, that might help we > will see, but that doesn't address the core problem. How is it that > someone can upload arbitrary files to my server and then execute an > arbitrary command via apache. > > Is this a know problem? Have others seen it? What can I do to help > prevent this? > > Thanks, > > Matt > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosUsually, I've seen this as the result of an insecure PHP script. I've also seen files in /tmp or /var/tmp owned by apache, and usually there's a few processes running as the "apache" user. Typically, the timestamps on those files match the start time of the rogue apache processes, and then I go looking through the httpd access log and can find what script was exploited based on the time of the request... -Greg
Just as an fyi on a good checklist for linux (not comprehensive but a good start) http://www.cisecurity.org/bench_linux.html And some good areas via google on secure centos installations. If they do it again then it wont be your perl script obviously as you mentioned disabling the script, but if not, is your script configured with use strict and taint? Is every var in the script checked to ensure the data is within an allowed range? Does the perl script rely on third-party modules? If so you might check there as well. The rest is an assumption that you may have php installed on the system and someone may have used a php script as a gateway into your system. Even though the box has been compromised you may get lucky if this is related to apache by looking at the timestamp on the files in /tmp and correlate those with your apache logs. If so check your php logs as well(if you enabled it in /etc/php.ini). Are you running in safe mode? There are some things you can do to help reduce the amount of damage a vulnerable php script can do: safe_mode = On safe_mode_gid = On safe_mode_include_dir = /path where any include files you trust reside. Read only by apache process safe_mode_exec_dir = /path to area where you allow any executables to be called from php scripts Also (not restricted to safe mode) is if this is a home server you can also restrict where php scripts can 'roam': open_basedir = /var/www/html (for example) will prevent php scripts from going outside the /var/www/html area. If your done debugging any web code set this display_errors = off And turn on php file logging log_errors = On error_log = /var/log/phplogfilename.log Unless you need to allow file uploads turn that off too file_uploads = Off The same goes for treating URLs as files allow_url_fopen = Off Also make sure all the files in /var/www/html or whatever are not owned by the apache process so they cannot be over-written if at all possible. -Greg -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Matthew T. O'Connor Sent: Thursday, June 22, 2006 11:53 AM To: CentOS mailing list Subject: [CentOS] Apache Security Hello, I have a server running CentOS 4.3 with all the latest updates. The server in question has been hacked by spammers a few times. The details of the hack have been basically the same every time. I find some directory created by the apache user account in /tmp. The new directory contains an html file, and a list of email addresses to spam and a perl script that spams all those email addresses with the html file. My question is why is this happening? Obviously it's some apache exploit. I have removed mod_perl, that didn't help. I have now changed the permissions on the perl executable, that might help we will see, but that doesn't address the core problem. How is it that someone can upload arbitrary files to my server and then execute an arbitrary command via apache. Is this a know problem? Have others seen it? What can I do to help prevent this? Thanks, Matt _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
Matthew T. O'Connor wrote:> > Is this a know problem? Have others seen it? What can I do to help > prevent this? >PHP is a likely suspect. Do you have globals off? It can be difficult to find the culprit, hit the logs, look at hacker file creation dates.. try to match the creation time to something done within a script in the logs. Photo Galleries and any script which allows uploads should be the first suspects. And yes, as mentioned, AWstats did have an issue, but it is a pretty old version at this point... still something to look at. Of course, files uploaded via PHP are owned by Apache or the Apache username assigned. Best, John Hinton
Matthew T. O'Connor wrote:> Hello, I have a server running CentOS 4.3 with all the latest updates. > The server in question has been hacked by spammers a few times. The > details of the hack have been basically the same every time. I find > some directory created by the apache user account in /tmp. The new > directory contains an html file, and a list of email addresses to spam > and a perl script that spams all those email addresses with the html file.sounds like scripts and bad code on the web-doc-root being exploited. consder enabling SELinux. this is the sort of thing that selinux was meant to prevent, and does a very good job of it. -KB -- Karanbir Singh : http://www.karan.org/ : 2522219 at icq
On Thu, Jun 22, 2006 at 12:53:09PM -0400, Matthew T. O'Connor wrote:> Is this a know problem? Have others seen it? What can I do to help > prevent this? > > Thanks, > > MattYes, it's a problem with non secure php configuration and vulnerable php scripts. Some suggestions: (Already mentioned) Keep php scripts up to date! This is paramount (Already mentioned) mount /tmp on loop with noexec (Already mentioned) php.ini: allow_url_fopen = off (Already mentioned) Learn how to use mod_security effectively (Already mentioned) Block outbound tcp/80 with iptables/etc (Already mentioned) SELinux can provide more fine grain control over - "who" can do "what" (Already mentioned) Use UNIX permissions to restrict access to - wget/curl/ncftp/lynx/etc Additional: php.ini: disable_functions = system,exec,passthru,shell_exec,pcntl_exec Lots of times I find something in httpd's crontab to re-infect /tmp so use cron.deny: echo apache/httpd/www/etc >> /etc/cron.deny I also block outbound access to tcp/6666-6669 (irc) and tcp/6881-6889 (bittorrent) as well as non-essential outbound udp (essential: dns, ntp) to "contain" any damage caused by malware. It is still possible to circumvent noexec. mod_security will only protect you from disclosed vulnerabilities. Security is a trade off with convenience. So you must evaluate your options. Shared web hosts tend to require convenience, while dedicated needs lean more towards security. Become familiar with the scripts you are running, their requirements, their security track record, and any alternatives if they exist. - Mike