PHP update .. n more

[rszkutak]

it seems that my PHP on my server has somehow become an open relay of sorts i guess due to a bug in it.

i have been reported to a blacklist, and they were kind enough to respond to me and advise me it came from a un patched PHP.

so now the question, how can i update my PHP safely ? I have not done any application updates like this before, and honestly thought that DA would update things as needed. However I guess some ignorance is bliss.

Your response is apprecaited !

Rob

 

[toml]

Try this, might as well update Apache and everything else that's changed:

cd /usr/local/directadmin/customapache
./build clean
./build update
./build all y
service httpd restart (at least on RedHat based systems)

 

[rszkutak]

Tom,
Thanks as always...

Is this one of the later versions ?

/usr/local/directadmin/customapache/php-4.4.2.tar.gz

I ran this and it seemed to be ok, no problems so to speak... I guess i am now all nice n updated ?

 

[toml]

Yes, that is the latest 4.x series of php. So you should be good.

Besides just updating the apache/php I would also look into some of the security practices to help minimize the reoccurance of another hijacking.

Search for public php programs (bbs, picture galleries, portals,...) used on your server and make sure they are up to date.

You should be able do some searches on how to do a lot of these things, the ones I would look for are:
securing /tmp See here and Here
changing permissions for wget/ftp/lynx/elinks/scp/gcc/g++ so only root can execute them
using openbase_dir See here

Other things like firewalling unused ports, running tripwire and rkhunter should help in better securing the system. There are quite a few other measures you can do, but this is a good start, if you haven't already done these.

 

[nobaloney]

Is it really a php hole? Or perhaps a hole in a php-program.

Or config error?

Jeff

 

[rszkutak]

Jeff,
This is the reply that I got from Spamcop.


------


Looks like you have a php script that is being exploited by spammers:

Received: from unused.mynethost.com (HELO Bluenetworking.com)
([64.207.216.20])
by <our trap server removed>; 16 May 2006 11:4x:x0 -0700
Received: from apache by Bluenetworking.com with local (Exim 4.24)
id 1FgxxX-x00xxt-RF; Tue, 16 May 2006 13:5x:x1 -0500

------

Pretty genaric, but somewhat informative.

thoughts ?


R

 

[sullise]

As thought, wasn't PHP itself that was bugged, was a users script. I would hope that they would provide more information then that..lol

 

[nobaloney]

So updating php isn't going to help.

You need to search your /var/log/exim/mainlog for outgoing mail from usernames; they're generated by scripts. Then find the username that sends the most. If it's a lot, it should jump out on you. Good luck; a few months ago a runaway system caused us well over $1000 in data overages.

Jeff

 

[toml]

Of course, unless he has the

php_admin_value sendmail_path '/usr/sbin/sendmail -t -i -f |USER|@|DOMAIN|'

setting in that virtual domain, I believe the user would be apache and that would make it harder to track down.

 

[nobaloney]

I don't know the default by OS & distribution, but for us we almost always see the username, and we've made no changes from the default.

Jeff

 

[toml]

It has been a feature since version 1.223, but if the domain existed before that version of DirectAdmin, then it might not have that setting.