Re: Attempts to push spam through apache

• Previous message: Gabriel Orozco: "Re: Attempts to push spam through apache"
• Maybe in reply to: Peter H. Lemieux: "Attempts to push spam through apache"
• Next in thread: Adrian Popescu: "Re: Attempts to push spam through apache"
• Reply: Adrian Popescu: "Re: Attempts to push spam through apache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 22 Aug 2004 13:44:36 -0400
To: Adrian Popescu <adixpope@rdsnet.ro>

Adrian Popescu wrote:
> To "be shure" nobody succeds put in your "Main" section in httpd.conf
> (this will apply to VirtualHosts too ; if you have any)
> <Location />
> <Limit CONNECT>
> Order deny,allow
> Deny from all
> </Limit>
> </Location>

This is a good suggestion which I've implemented for the time being. In the
default httpd.conf distributed with RedHat 7-9, I added <Limit> to the
<Directory /> defaults which has the same effect. The logs then show a 403
HTTP error being sent to the client rather than a 200.

> here is a link with a bug , even if mod_proxy is disabled:
> http://bugs.php.net/bug.php?id=19113

Thanks, Adrian. This certainly looks like the same bug to me. Reading the
comments it appears the problem is in the Apache DSO handlers, not PHP, but
there's no mention of it in the Apache bugzilla listings. I'm probably
going to move to Apache 2.0.50 and see if this goes away. I have a test
machine running Fedora Core 2 with all the latest updates including a
mod_ssl update from early July.

> About the openssl problem ...

> If he/she got root ; it doesent mater if "ps" is unmodified;
> processes can be hidden , and log files played with
>
> use "chkrootkit" tool , or other programs (run it a couple of times).
> Also look in /tmp or other places where Apache (User/Group)
> are able to write and see if there is any trace left.

The previous intruder, which I suspect was an automated script and not a
real person, never got root. The script installed the IRC proxy source in
/tmp, then compiled and ran it as the apache user. After that happened, I
blocked apache's access to /tmp by creating a "tmpusers" group to which
apache doesn't belong, and making /tmp owned by root/tmpusers with 0770
perms. I don't have to support users on this box, so only a limited number
of users, like the PostgreSQL owner, need access to /tmp. I was already
routing other things apache commonly puts in /tmp like PHP session data to
separate directories so this was a pretty simple fix.

Thanks again!

Peter

• Previous message: Gabriel Orozco: "Re: Attempts to push spam through apache"
• Maybe in reply to: Peter H. Lemieux: "Attempts to push spam through apache"
• Next in thread: Adrian Popescu: "Re: Attempts to push spam through apache"
• Reply: Adrian Popescu: "Re: Attempts to push spam through apache"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]