[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: security issues with apache!


I'm not completely new to Debian or Linux, but I wouldn't classify
myself as a battlescarred sysadmin just yet :)

Anyways. My problem is security-related, and I hope that I'm posting to
the correct list as well as hoping that someone can help me out here.

Recently I've noticed that my Apache-installation gets violated and that
an intruder somehow manages to put stuff in /tmp and /var/tmp. Then it
makes Apache execute these. Unfortunately these are some rather nasty
things, mostly portscanners and bruteforce-attacks. They are all easily
detected with netstat, and at least once a day I have to go in and kill
the processes spawned by www-data (the user that runs Apache) as well as
delete the offending files.

Now, like I said - I'm not a pro, I'm trying to learn by doing.
Unfortunately how this happens is way over my experience, and now I
could really use some help in fixing this leak. I've narrowed it down to
Apache only, but I have no clue as to how to seal the leak. I'm running
a small server in my home using (mostly) Debian Sarge. This is a real
Frankenstein-machine as it was originally a Woody-box, but it's been
upgraded with bits from all over. It's been running pretty much
constantly for three years. Of course I apply security fixes when they
arrive, but I don't know if the source of these intrusions is Apache or
just that I have managed to fubar some setting somewhere, allowing an
attacker to make Apache execute code.

Essentially the machine is Debian Sarge, with MySQL and PHP4. There are
other services running on it, but I've noticed that the
intrusions/code-executions only happen through Apache. MySQL only
listens on localhost and accepts no connections from the outside. Hence,
I hope that this is limited to Apache. Apache is 1.3.x, MySQL 4.0.24 and
PHP 4.3

I deeply appreciate any help that can make me seal this leak! Thank you
all in advance!

/petter senften

I had a similar encounter about 2 months ago. The intruder exploited a PHP script that was poorly written. If you check your http access logs, you will most likely find an entry about the PHP that is been exploited. Once you find the offending PHP script, you can either remove it or add an exit(0); on top of the script so that it does not accept any input. If you are a good PHP programmer, you could fix the script so that it validates whatever input its getting.


Reply to: