0

I am the datacenter manager at a small ISP and we have been having an issue with mystery scripts sending out SPAM on our server. These PHP scripts will appear mysteriously in /tmp as well as sometimes in website folders. We had the software "Gallery" installed, which required dangerously elevated permissions and allowed these scripts to be injected. I have since limited that site via .htaccess to our office only, and now spam has ceased showing up in the website folders, but still shows up in /tmp as well as other website folders. Our server runs exim with Directadmin on Debian 2.6.26-29.

To find the SPAM scripts I run:

    server:/# grep cwd /var/log/exim/mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


      1 /home/xxx/domains/XXX/public_html/cgi-bin/formmail
      2 /
      2 /home/xxx/domains/xxx.com/public_html/wp
      2 /home/xxx/domains/xxx.com/public_html
      2 /home/xxx/domains/xxx.com/public_html
      4 /usr/local/directadmin
     11 /home/admin
    303 /home/admin/domains/xxx/public_html/components
   2947 /tmp

Does anyone know how to find out where these scripts are coming from? Apache is the owner of the SPAM scripts. Thank you in advance.

HopelessN00b
  • 54,273
Riley
  • 103

1 Answers1

1

Any of your customers' sites can contain vulnerable code which hackers exploit and use to inject those scripts into your server.

I hope your new server setup has proper setup so that customers PHP scripts don't have access to systemwide /tmp. Personally I prefer to install PHP-FPM inside chroot, although that is a non-trivial exercise.

If these are standard shell scripts that are in /tmp, you can prevent their execution by creating a separate partition for /tmp, and mounting that to /tmp with noexec mount option.

However, any other directory that is writable by Apache process is still vulnerable to same issues. It will take some time for hackers to find new writable directories, but they will find those eventually.

The only proper solution is to make a secure web server installation, and migrate data there.

Tero Kilkanen
  • 38,887