After looking deaper at your post, it looks like they ran something from the tmp directory. You should lock the tmp directories, and perhaps consider running suexec for perl. Mod_security will help as well. You also should chmod 700 the programs web users don't need.
Security is done in layers. I recommend paying someone to secure your box. Regards, Pierre -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of LaRoy McCann Sent: Monday, August 23, 2004 1:45 PM To: [EMAIL PROTECTED] Subject: [Apache-FP] web server hacked I have a buddy that is running RH9.0 with Apache 2.0.40 with FP extentions. His web server got hacked into. They replaced the index page. They had their name of "Total Cha0s" on the index page. Anyone know of a bug in apache that will allow this? Here is a listing of the files they placed in the tmp dir. [EMAIL PROTECTED] tmp]# ll total 488 -rw-r--r-- 1 apache apache 757 Aug 22 00:20 dc.pl -rwxrwxrwx 1 apache apache 19242 Aug 18 14:38 r0nin -rw------- 1 apache apache 93 Aug 17 08:29 sess_bd2f85b4f15f7471f989baa66cdc2cbb -rwxrwxrwx 1 apache apache 0 Aug 21 15:31 xiit -rwxr-xr-x 1 apache apache 463529 Aug 22 00:21 xpl_brk _______________________________________________ Apache-FP mailing list [EMAIL PROTECTED] http://lists.joshie.com/mailman/listinfo/apache-fp Donations: http://www.amazon.com/paypage/PT5LZITM9L227
