security issues with apache!

To: debian-user@lists.debian.org
Subject: security issues with apache!
From: Petter Senften <isecore@isecore.net>
Date: Tue, 07 Mar 2006 11:23:33 +0100
Message-id: <[🔎] 440D5F25.4090800@isecore.net>

Hi

I'm not completely new to Debian or Linux, but I wouldn't classifymyself as a battlescarred sysadmin just yet :)

Anyways. My problem is security-related, and I hope that I'm posting tothe correct list as well as hoping that someone can help me out here.

Recently I've noticed that my Apache-installation gets violated and thatan intruder somehow manages to put stuff in /tmp and /var/tmp. Then itmakes Apache execute these. Unfortunately these are some rather nastythings, mostly portscanners and bruteforce-attacks. They are all easilydetected with netstat, and at least once a day I have to go in and killthe processes spawned by www-data (the user that runs Apache) as well asdelete the offending files.

Now, like I said - I'm not a pro, I'm trying to learn by doing.Unfortunately how this happens is way over my experience, and now Icould really use some help in fixing this leak. I've narrowed it down toApache only, but I have no clue as to how to seal the leak. I'm runninga small server in my home using (mostly) Debian Sarge. This is a realFrankenstein-machine as it was originally a Woody-box, but it's beenupgraded with bits from all over. It's been running pretty muchconstantly for three years. Of course I apply security fixes when theyarrive, but I don't know if the source of these intrusions is Apache orjust that I have managed to fubar some setting somewhere, allowing anattacker to make Apache execute code.

Essentially the machine is Debian Sarge, with MySQL and PHP4. There areother services running on it, but I've noticed that theintrusions/code-executions only happen through Apache. MySQL onlylistens on localhost and accepts no connections from the outside. Hence,I hope that this is limited to Apache. Apache is 1.3.x, MySQL 4.0.24 andPHP 4.3

I deeply appreciate any help that can make me seal this leak! Thank youall in advance!


/petter senften

--
isecore@isecore.net | http://www.isecore.net
--------------------------------------------
tonight we light the fires
we call our ships to port
tonight we walk on water
and tomorrow we’ll be gone

Reply to:

Follow-Ups:
- Re: security issues with apache!
  - From: "Josep Serrano" <mylists@montblanc.homeip.net>
- Re: security issues with apache!
  - From: "Charles" <cchamb2@qwest.net>

Prev by Date: udev doesn't creat /dev/audio
Next by Date: Re: security issues with apache!
Previous by thread: Re: udev doesn't creat /dev/audio
Next by thread: Re: security issues with apache!
Index(es):
- Date
- Thread