Spam sent from my host

vbfischer · 01-18-2006, 01:05 PM

Yes. I was reading about the exploit in one of the sticky's here. I *think* I've patched things up... We'll see.

TigerOC · 01-19-2006, 10:59 AM

You need to update the relevant php app that has the flaw. Install the security module from www.modsecurity.org (your distro probably has a package), insert and activate the module in httpd and also set the rules from modsecurity.org and this should prevent further attacks.

benr77 · 01-25-2006, 05:27 AM

vbfischer - could you tell me where you found details of how to patch up this exploit? I'm currently suffering from the same problem.

Thanks very much

vbfischer · 01-25-2006, 06:22 AM

I deleted the file in question. Updated my PHP apps. Then I installed the security module (www.modsecurity.org).

Then I purchased the "Apache Security" book from Ivan Ristic
http://www.amazon.com/gp/product/059...books&v=glance

Hope that helps.

benr77 · 01-25-2006, 06:25 AM

Thanks for that - were the files you deleted all living in /tmp ?? Or were there any others elsewhere on the filesystem?

So far I've removed files from /tmp but haven't worked out how they got there - i.e. what application was compromised to permit the exploit

TigerOC · 01-25-2006, 11:48 AM

From what I have seen they operate as the user www-data or whatever your apache user is called. Have a look at your httpd.conf. To establish all the files owned by this user on the system do from a consol find -user <user_name> eg www-data.
Basically the intruder has used the fault in the application to connect a php hacking tool to give them the ability to upload software to your system. The scary part is that they probably had access to your whole file system as the apache user.

benr77 · 01-25-2006, 12:49 PM

Thanks for that TigerOC - I have searched for all files owned by my "apache" user and it's only turned up expected results. Hopefully I've removed all the files that the malicious user added.

However, I did see that at least one of the files created was owned by root - so presumably this means they were able to execute a root shell and that could mean a huge amount more trouble.

TigerOC · 01-25-2006, 02:14 PM

You need to check whether the file owned by root was created by the intruder. If they got root access then you need to pull the server, image the drive if you want to do forensics on it, and then reformat the drive.