Hacking Attempts Through /tmp

[open4biz]

Hi All,

This is the second time I received a warning from LFD (http://www.configserver.com/cp/csf.html) that a file was somehow planted in my server through /tmp:

"Time: Mon Aug 9 01:08:32 2010 -0700
File: /tmp/dd_ssh
Reason: Binary executable
Owner: apache:apache
Action: Moved into /etc/csf/suspicious.tar"

I did not keep record of the first one, but a day or two after a similar email, one of my account's passwords changed. I changed all the passwords related to that account.

Is there a log I can check to gain insight into how this is happening?

And more importantly, how can I harden my server to prevent this from continuing?

Thank you!

Ansel

 

[doopz]

Hi,

There are some people actively exploiting a vulnerability in phpMyAdmin.
Check and see if they are abusing setup.php inside phpMyadmin directory's.

 

[LawsHosting]

Check and see if they are abusing setup.php inside phpMyadmin directory's.

If so, delete the setup directory?

Or.... Set it up manually instead in the default phpmyadmin directory, that's what I do (i.e /var/www/html/databaseadmin_s4 etc).... Pain to update this way though, but less random scans.

 

[doopz]

Renaming it? eught.

Always make sure your phpmyadmin directory's are shielded by a .htaccess (IP or password based) thats what we do for clients.

Temp quick fix is to chmod 0 setup.php

 

[daveyw]

Just remove 'setup.php' you just need it only once. So don't chmod that but remove it asap.
Also default PHPMyAdmin is protected with user/pass, so it should be good already.

 

[LawsHosting]

Also default PHPMyAdmin is protected with user/pass, so it should be good already.

Only via the index page surely? This hack used the setup files, and, IIRC, updates via custombuild re-creates this directory, no?

 

[mr.applesauce]

Why arent the setup files removed?

Seems like a problem with custombuild then.

 

[Arieh]

When I try to visit the phpmyadmin/setup folder in a browser it gives me a Forbidden error. It has been chmodded. Same goes for the scripts folder.

 

[open4biz]

Is this definitely a problem with phpmyadmin's setup, or could it be something else?

If you guys are certain, then I'll definitely lock it down.

Thanks,

Ansel

 

[open4biz]

Hi,

There are some people actively exploiting a vulnerability in phpMyAdmin.
Check and see if they are abusing setup.php inside phpMyadmin directory's.

Where exactly is this file?

[Edit: found it and chmod-ed it]

Thanks

 

[mr.applesauce]

Why are you chmoding it... just delete it if it is a setup file for phpmyadmin. Once it is setup it doesnt need to exist anymore.

 

[open4biz]

Why are you chmoding it... just delete it if it is a setup file for phpmyadmin. Once it is setup it doesnt need to exist anymore.

Because I don't know what I'm doing... part of the time. I renamed it to something extravagant.

Thanks!

Ansel