Server Compromised: Apache or PHP vulnerability

stugster

Well-Known Member
Apr 16, 2002
75
0
306
Edinburgh, UK
cPanel Access Level
Root Administrator
I am running the latest release of cPanel and WHM. THey are both set to automatically update.

My server is continuously getting hit by a PHP problem:

Apache or PHP vulnerability that allows files to be placed in and executed from the /tmp or /var/tmp directory

'/var/tmp/. ' and '/var/tmp/bind' contained a numer of scanning programs that were active...


Any ideas? Anyone experienced this sort of thing before?
 

Apoc

Active Member
Mar 4, 2003
25
1
153
cPanel Access Level
DataCenter Provider
That problem has nothing to do with Apache or PHP vulnerabilities, the problem has to do with exploitable scripts that are located on your server. You can try tracking it with this command:

egrep <hack.name> /usr/local/apache/domlogs/*

You'd have to replace <hack.name> with the name of the hack scripts you found in /tmp. Based on the output you should usually be able to find the exploited script(s).

However, someone may just (accidentally or not) upload an exploitable script again in the future. You should probably look into installing mod_security for Apache. If you install it with a good ruleset, it'll deny requests for file execution in /tmp, which makes the exploitable scripts less dangerous to your server.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
Tempest2 said:
Apache or PHP vulnerability that allows files to be placed in and executed from the /tmp or /var/tmp directory

'/var/tmp/. ' and '/var/tmp/bind' contained a numer of scanning programs that were active...

Any ideas? Anyone experienced this sort of thing before?
IN addition to what Apoc said, hackers won't leave you alone and they'll keep coming back to use your server to launch attacks on other servers, or do other harmful things. Secure and harden your server before it is too late.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
mod_security is good and I'm not trying to say that it is not a useful tool. But nothing compares to keeping your scripts up-to-date. If you keep your scripts up-to-date, then its likely you won't have these problems.

Using mod_security for your security is like trying to think of every possible vulnerability that could exist and blocking it. Its much more feasible to fix the underlying problem by updating the script or perhaps the vulnerability has not been patched, then it needs to be brought to the attention of the developers.

Using mod_security is good for finding these holes and to limit the number of exploits through the scripts. But it just should not be depended on as a complete security tool.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Thing is, mod_security will block attempts to break into places you haven't found yet. You can't always fix every vulnerability on a server - mod_security set up intelligently will catch whole classes of attacks.

Defence in depth applies here - use a good set of mod_security rules and ALSO update your scripts. Don't rely on one or the other!
 

dv2support

Member
PartnerNOC
Oct 9, 2002
12
0
151
Tempest2 said:
I am running the latest release of cPanel and WHM. THey are both set to automatically update.

My server is continuously getting hit by a PHP problem:

Apache or PHP vulnerability that allows files to be placed in and executed from the /tmp or /var/tmp directory

'/var/tmp/. ' and '/var/tmp/bind' contained a numer of scanning programs that were active...


Any ideas? Anyone experienced this sort of thing before?
For the newbie on cPanel, you can also run /scripts/securetmp on cPanel. I usually symlink /var/tmp to /tmp before doing this. It will help keep most scripts from executing in /tmp, unless it is called by some binary executable, such as perl.