How the heck did the spammer get in??

How the heck did the spammer get in?? Spamming the VM forum, geeez!!

Which brings me to the question of PHP exploits. I’ve been chasing my tail for months trying to figure out how these guys are getting in. What are the PHP or MySQL exploits that don’t seem to be covered in the CentOS 4.4 install?

With CentOS 4.4, PHP 4 uptodate, and MySQL uptodate ( with VMPro) I’m having this problem.

On a pristine install they have no access, but when I put up some php websites and they appear to be walking all around the server. I’ve found scripts in the /DAV directory or most popular the /tmp directory where they install scripts to setup their own crond, or firing a script to initiate IRC connections, NFS connnections even running their own httpd. I’ve even found the same IP show up connected after the IP is blocked in iptables.

I upgraded to CentOS 4.5 but now the MySQL server won’t start (time out) but that has kept the bad guys away (no MySQL no working website)

I’m currently trying each website, one at a time ( since they were purchased on eBay :frowning: on another box to see if the websites are loaded. But nothing has shown up. I guess I should note that the offending server showed up as a DNS “lame server” so I’m reworking our POA on DNS servicing .

ANy help would be greatly appreciated.

Dan

On a pristine install they have no access, but when I put up some php websites and they appear to be walking all around the server. I've found scripts in the /DAV directory or most popular the /tmp directory where they install scripts to setup their own crond, or firing a script to initiate IRC connections, NFS connnections even running their own httpd. I've even found the same IP show up connected after the IP is blocked in iptables.

Sounds like your “PHP websites” have some problems. /tmp is used for PHP session storage, among other things, and is writable by the virtual server owner–so all PHP scripts have access to it. If they aren’t secure, they would allow some stuff to happen there.

Where did a /dav directory come from? That one is a bit confusing–Virtualmin sets up a /dav alias that offers a remote file server folder in public_html (makes it easy to publish from many web design products…though DAV support sucks on Windows, it works great on Linux and Mac OS X). But it’s not a directory.

What PHP scripts are you running? Are you sure they’re secure?

Hi Joe,

Actually one install script was in the /var/lib/dav directory and the others usually end up in the /tmp

These were some adsense sites I got on eBay and I’m sure one oe two must be loaded for access then. THe OS and VM are right out of the box and I don’t change anything outside of converting over to sendmail. One site has joomla working but that doesn’t appear to be the problem.

Well Joe,

Kicked out my Mysql/php theory as mysql won’t run.

We got a bandit connection this afternoon.

process:

/usr/local/apache/bin/httpd -DSSL

owned and used by Apache

33w Regular file 43765 63636017 /home/bannerdoc/logs/access_log
34w Regular file
58018998 /var/log/httpd/ssl_access_log
35w Regular file
58019002 /var/log/httpd/ssl_request_log
36r fifo
7394 pipe
37w fifo
7394 pipe
38r fifo
7395 pipe
39w fifo
7395 pipe
40u sock
37874 can’t identify protocol

IPV6 TCP 3u Listening on port http
IPV6 TCP 4u Listening on port https
IPV4 TCP 41u 209.206.145.194:32881 -> 209.121.50.101:afs3-fileserver ESTABLISHED

They created an account…verified it via email…and then posted, just like you and I are. It’s not an exploit. Each of those messages was posted manually (or at least they had to signup manually).

I’ve banned the user in question and asked them not to return, and deleted all of their posts. Stopping them from signing up again would pretty much mean preventing anyone from signing up, as getting a Yahoo or Gmail or Hotmail account is trivial (and we have lots of legitimate users who have addresses with those services).