Apache service compromised?

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
mwyr
Posts: 2
Joined: 2008/03/26 23:47:10

Apache service compromised?

Post by mwyr » 2008/03/27 00:31:31

Hello.

My Centos 4.6 server acts very badly.

There are apache and postfix installed and configured for above a year. I've noticed that since a couple of days there were strange messages in postfix queue and all were addressed from apache@localhost. I suppose it was compromised but I'm pretty sure that any account access was not overtaken and it might be some www site with little security which caused the problem.

The server is behind firewall on eth0 but there is another interface (eth1) connected lately which had little protection. I set iptables rules to pass only http and smtp traffic on the eth1 interface yesterday. There are no shell users accounts and only a few virtual mailboxes and virtual domains are hosted. There is a proftpd (from dag repo) installed and configured to provide access to virtual domains access (simple unix account authorization is used just for this purpose).

Finding a source of what caused this behaviour is rather hard because of huge logs generated by postfix. I've noticed there is something that sends emails by executing 'sendmail' program from time to time from apache account. But I don't know how to find out what's that?

Now I disabled sending from apache account (in main.cf) and it is ok:
authorized_submit_users = !apache, static:all

..but I believe there is something that still tries to send a spam. And www sites cannot send emails itself because of that.

I've been monitoring traffic, checking strange services, checking foreign domains to which the server connect, searching for some scripts somewhere but still no target was found. I know I should reinstall the system but I would be enought if I find the script which is fired from apache account.

How can I check what is trying to run some script as apache user with little harm to server work?

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Re: Apache service compromised?

Post by michaelnel » 2008/03/27 21:43:50

What did the "strange messages" from apache@localhost say? Who are they addressed to?

mwyr
Posts: 2
Joined: 2008/03/26 23:47:10

Re: Apache service compromised?

Post by mwyr » 2008/03/30 01:46:56

The messages were addressed all over the world and the evidently were spam messages because of irregular addresses to many hosts (ex. yahoo).
I found that preventing apache user to send mails is not enought because the server is still beeing attacked and some scripts are executed on it. It's getting worse in time.

A few minutes ago I've just localized some vulnerability in one of hosted sites. There was (in PHP script) simple include() function, which was including any file without check - this surely was a problem! I hope this was the only problem. After a few hours I will check if everything is right.

What's curious is that injected script was connecting to IRC server where some cracker could send any commands online - very smart but very bad. I have to reinstall the server now to be sure if there are no other backdoor scripts are there - but for a while I will stay watching what's happening. This might be very instructive for a future.

Post Reply

Return to “CentOS 4 - Server Support”