LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Apache hack: how do I block it? (http://www.linuxquestions.org/questions/linux-server-73/apache-hack-how-do-i-block-it-804755/)

philwynk 04-28-2010 08:36 AM

Apache hack: how do I block it?
 
Somebody apparently tried to hack my tiny server today. It's a LAMP server: Fedora core 12, Apache, mySQL, PHP on an AMD 64.

My server hung, so I rebooted the system and looked in the httpd log. I found repeated instances of this command near the time of the crash:

Quote:

212.95.54.43 - - [28/Apr/2010:09:17:46 -0400] "POST /wp-content/uploads/2009/10/anpdyv8v.php? HTTP/1.0" 200 2 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US)"
The file anpdyv8v.php was dated 24/APR/2010, but the directory is a dated directory for graphic images posted to the blog in Oct 2009, so I know it's not mine, and I know it appeared recently.

The file consists of a single php "eval(base64 decode" statement, which is pretty clearly an encrypted application file in php.

I changed the ownership of the file so apache can't read it anymore ( it was owned by apache.web, which is the account under which apache runs), but I'm very concerned that somebody was able to post a rogue file on my server as "apache."

How did they do that, and how can I prevent them from doing it again?

BTW, the IP address traces to a server in Belarus.

Thanks for any and all suggestions in advance.

Phil Weingart

rweaver 04-28-2010 09:37 AM

Drop the route to the ip address/network in belarus if that's not somewhere you'd expect legitimate traffic. Then go back through your logs and figure out how they got in. In all likelihood it was a bad password or a known bug on an older version of wordpress. Make sure all your applications and utilities are up to date including webapps. I would also suggest that as a minimum effort you run chkrootkit and rkhunter over the system as a safe guard against potentially being rooted.

nowonmai 04-28-2010 10:44 AM

Quote:

Originally Posted by philwynk (Post 3950595)
How did they do that, and how can I prevent them from doing it again?

It looks like you are using Wordpress, so it's possible the hack was as a result of a vulnerability there. Always patch your webapps!
It's also possible that the uploads directory is world-writeable... you'd be amazed how often this is recommended in webapp installation notes.

unSpawn 04-28-2010 10:54 AM

Quote:

Originally Posted by rweaver (Post 3950656)
Drop the route to the ip address/network in belarus if that's not somewhere you'd expect legitimate traffic.

Please note that if the intruder uses proxies in different TLDs that doesn't make sense (or keep adding IP addresses).

The other advice wrt running an unpatched version of Wordpress and or having world-writable U/L dirs and checking logs I agree are good starting points. Next to patching immediately and running file integrity verification I suggest running mod_security and fail2ban as it comes with web-server log filters.


All times are GMT -5. The time now is 03:26 AM.