security issues with apache!

Tue, 07 Mar 2006 02:23:51 -0800 

Hi
I'm not completely new to Debian or Linux, but I wouldn't classify myself as a battlescarred sysadmin just yet :) 


Anyways. My problem is security-related, and I hope that I'm posting to 
the correct list as well as hoping that someone can help me out here.



Recently I've noticed that my Apache-installation gets violated and that 
an intruder somehow manages to put stuff in /tmp and /var/tmp. Then it 
makes Apache execute these. Unfortunately these are some rather nasty 
things, mostly portscanners and bruteforce-attacks. They are all easily 
detected with netstat, and at least once a day I have to go in and kill 
the processes spawned by www-data (the user that runs Apache) as well as 
delete the offending files.



Now, like I said - I'm not a pro, I'm trying to learn by doing. 
Unfortunately how this happens is way over my experience, and now I 
could really use some help in fixing this leak. I've narrowed it down to 
Apache only, but I have no clue as to how to seal the leak. I'm running 
a small server in my home using (mostly) Debian Sarge. This is a real 
Frankenstein-machine as it was originally a Woody-box, but it's been 
upgraded with bits from all over. It's been running pretty much 
constantly for three years. Of course I apply security fixes when they 
arrive, but I don't know if the source of these intrusions is Apache or 
just that I have managed to fubar some setting somewhere, allowing an 
attacker to make Apache execute code.



Essentially the machine is Debian Sarge, with MySQL and PHP4. There are 
other services running on it, but I've noticed that the 
intrusions/code-executions only happen through Apache. MySQL only 
listens on localhost and accepts no connections from the outside. Hence, 
I hope that this is limited to Apache. Apache is 1.3.x, MySQL 4.0.24 and 
PHP 4.3



I deeply appreciate any help that can make me seal this leak! Thank you 
all in advance!


/petter senften

--
[EMAIL PROTECTED] | http://www.isecore.net
--------------------------------------------
tonight we light the fires
we call our ships to port
tonight we walk on water
and tomorrow we’ll be gone


--

To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
























					Reply via email to