How the heck did the spammer get in?? Spamming the VM forum, geeez!!
Which brings me to the question of PHP exploits. I’ve been chasing my tail for months trying to figure out how these guys are getting in. What are the PHP or MySQL exploits that don’t seem to be covered in the CentOS 4.4 install?
With CentOS 4.4, PHP 4 uptodate, and MySQL uptodate ( with VMPro) I’m having this problem.
On a pristine install they have no access, but when I put up some php websites and they appear to be walking all around the server. I’ve found scripts in the /DAV directory or most popular the /tmp directory where they install scripts to setup their own crond, or firing a script to initiate IRC connections, NFS connnections even running their own httpd. I’ve even found the same IP show up connected after the IP is blocked in iptables.
I upgraded to CentOS 4.5 but now the MySQL server won’t start (time out) but that has kept the bad guys away (no MySQL no working website)
I’m currently trying each website, one at a time ( since they were purchased on eBay on another box to see if the websites are loaded. But nothing has shown up. I guess I should note that the offending server showed up as a DNS “lame server” so I’m reworking our POA on DNS servicing .
On a pristine install they have no access, but when I put up some php websites and they appear to be walking all around the server. I've found scripts in the /DAV directory or most popular the /tmp directory where they install scripts to setup their own crond, or firing a script to initiate IRC connections, NFS connnections even running their own httpd. I've even found the same IP show up connected after the IP is blocked in iptables.
Sounds like your “PHP websites” have some problems. /tmp is used for PHP session storage, among other things, and is writable by the virtual server owner–so all PHP scripts have access to it. If they aren’t secure, they would allow some stuff to happen there.
Where did a /dav directory come from? That one is a bit confusing–Virtualmin sets up a /dav alias that offers a remote file server folder in public_html (makes it easy to publish from many web design products…though DAV support sucks on Windows, it works great on Linux and Mac OS X). But it’s not a directory.
What PHP scripts are you running? Are you sure they’re secure?
Actually one install script was in the /var/lib/dav directory and the others usually end up in the /tmp
These were some adsense sites I got on eBay and I’m sure one oe two must be loaded for access then. THe OS and VM are right out of the box and I don’t change anything outside of converting over to sendmail. One site has joomla working but that doesn’t appear to be the problem.
IPV6 TCP 3u Listening on port http
IPV6 TCP 4u Listening on port https
IPV4 TCP 41u 209.206.145.194:32881 -> 209.121.50.101:afs3-fileserver ESTABLISHED
They created an account…verified it via email…and then posted, just like you and I are. It’s not an exploit. Each of those messages was posted manually (or at least they had to signup manually).
I’ve banned the user in question and asked them not to return, and deleted all of their posts. Stopping them from signing up again would pretty much mean preventing anyone from signing up, as getting a Yahoo or Gmail or Hotmail account is trivial (and we have lots of legitimate users who have addresses with those services).