0

I am the datacenter manager at a small ISP and we have been having an issue with mystery scripts sending out SPAM on our server. These PHP scripts will appear mysteriously in /tmp as well as sometimes in website folders. We had the software "Gallery" installed, which required dangerously elevated permissions and allowed these scripts to be injected. I have since limited that site via .htaccess to our office only, and now spam has ceased showing up in the website folders, but still shows up in /tmp as well as other website folders. Our server runs exim with Directadmin on Debian 2.6.26-29.

To find the SPAM scripts I run:

    server:/# grep cwd /var/log/exim/mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n


      1 /home/xxx/domains/XXX/public_html/cgi-bin/formmail
      2 /
      2 /home/xxx/domains/xxx.com/public_html/wp
      2 /home/xxx/domains/xxx.com/public_html
      2 /home/xxx/domains/xxx.com/public_html
      4 /usr/local/directadmin
     11 /home/admin
    303 /home/admin/domains/xxx/public_html/components
   2947 /tmp

Does anyone know how to find out where these scripts are coming from? Apache is the owner of the SPAM scripts. Thank you in advance.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Riley
  • 103
  • 2
  • 14
  • 4
    Time to blow away the server and start from a good backup. – ceejayoz May 28 '14 at 17:39
  • They're coming from a hacker or bot/botnet. Now that you've been enlightened, the next step is to nuke the compromised server from orbit and install new or restore from backups. Might want to skip installing that vulnerable gallery thing this time, though. – HopelessN00b May 28 '14 at 18:17
  • Unfortunately, this is not possible. We are in the process of migrating the data to a new server (which is virutalized), but this is a server full of hundreds of customer sites. As for backups... I just started here and you could say they've been lacking in the "best practices" category. – Riley May 28 '14 at 18:28

1 Answers1

1

Any of your customers' sites can contain vulnerable code which hackers exploit and use to inject those scripts into your server.

I hope your new server setup has proper setup so that customers PHP scripts don't have access to systemwide /tmp. Personally I prefer to install PHP-FPM inside chroot, although that is a non-trivial exercise.

If these are standard shell scripts that are in /tmp, you can prevent their execution by creating a separate partition for /tmp, and mounting that to /tmp with noexec mount option.

However, any other directory that is writable by Apache process is still vulnerable to same issues. It will take some time for hackers to find new writable directories, but they will find those eventually.

The only proper solution is to make a secure web server installation, and migrate data there.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • Thank you for your response, I have made /tmp nonexec on the old server now, which should help, but some of this stuff is showing up in site folders, how do I fix that issue? I cannot make the whole / partition nonexec – Riley May 29 '14 at 17:06
  • I am also wondering if it is possible to prevent /tmp from executing without making it a separate partition. – Riley May 29 '14 at 20:14
  • You could make a partition for the separate web content, and mount that partition noexec. You might achieve similar results with SElinux policies, but those are even more work than simple noexec. – Tero Kilkanen May 31 '14 at 01:22