Server Compromised: Apache or PHP vulnerability

[stugster]

I am running the latest release of cPanel and WHM. THey are both set to automatically update.

My server is continuously getting hit by a PHP problem:

Apache or PHP vulnerability that allows files to be placed in and executed from the /tmp or /var/tmp directory

'/var/tmp/. ' and '/var/tmp/bind' contained a numer of scanning programs that were active...


Any ideas? Anyone experienced this sort of thing before?

 

[Apoc]

That problem has nothing to do with Apache or PHP vulnerabilities, the problem has to do with exploitable scripts that are located on your server. You can try tracking it with this command:

egrep <hack.name> /usr/local/apache/domlogs/*

You'd have to replace <hack.name> with the name of the hack scripts you found in /tmp. Based on the output you should usually be able to find the exploited script(s).

However, someone may just (accidentally or not) upload an exploitable script again in the future. You should probably look into installing mod_security for Apache. If you install it with a good ruleset, it'll deny requests for file execution in /tmp, which makes the exploitable scripts less dangerous to your server.

 

[AndyReed]

Apache or PHP vulnerability that allows files to be placed in and executed from the /tmp or /var/tmp directory

'/var/tmp/. ' and '/var/tmp/bind' contained a numer of scanning programs that were active...

Any ideas? Anyone experienced this sort of thing before?

IN addition to what Apoc said, hackers won't leave you alone and they'll keep coming back to use your server to launch attacks on other servers, or do other harmful things. Secure and harden your server before it is too late.

 

[sparek-3]

mod_security is good and I'm not trying to say that it is not a useful tool. But nothing compares to keeping your scripts up-to-date. If you keep your scripts up-to-date, then its likely you won't have these problems.

Using mod_security for your security is like trying to think of every possible vulnerability that could exist and blocking it. Its much more feasible to fix the underlying problem by updating the script or perhaps the vulnerability has not been patched, then it needs to be brought to the attention of the developers.

Using mod_security is good for finding these holes and to limit the number of exploits through the scripts. But it just should not be depended on as a complete security tool.

 

[brianoz]

Thing is, mod_security will block attempts to break into places you haven't found yet. You can't always fix every vulnerability on a server - mod_security set up intelligently will catch whole classes of attacks.

Defence in depth applies here - use a good set of mod_security rules and ALSO update your scripts. Don't rely on one or the other!

 

[dv2support]

I am running the latest release of cPanel and WHM. THey are both set to automatically update.

My server is continuously getting hit by a PHP problem:

Apache or PHP vulnerability that allows files to be placed in and executed from the /tmp or /var/tmp directory

'/var/tmp/. ' and '/var/tmp/bind' contained a numer of scanning programs that were active...


Any ideas? Anyone experienced this sort of thing before?

For the newbie on cPanel, you can also run /scripts/securetmp on cPanel. I usually symlink /var/tmp to /tmp before doing this. It will help keep most scripts from executing in /tmp, unless it is called by some binary executable, such as perl.

 

[Modchips(Pablo)]

Get a look to this. May be is your solution..

http://forums.cpanel.net/member.php?find=lastposter&t=57343