apache hacking?

Hi,

I am on FreeBsd 4.8, I went to see what is contained on my /tmp folder
and I found this list of files:

sess_31337_phpnuke.1
sess_31337_phpnuke.2
sess_31337_phpnuke.3
etc....

I erased them but after 30 min they are here. in fact, some files are
created every 30 min.

So i searched for the programm who is making them. I found in the
apache "error_log" file these lines:

--------------------------------------------------------------------------------------------------------------

[Fri Nov 18 17:57:08 2005] [notice] Apache/1.3.33 (Unix) PHP/4.4.0
configured -- resuming normal operations
[Fri Nov 18 17:57:08 2005] [notice] suEXEC mechanism enabled (wrapper:
/usr/local/apache/bin/suexec)
[Fri Nov 18 17:57:08 2005] [notice] Accept mutex: flock (Default:
flock)
--20:04:31-- http://celular.gratishost.com/sess_31337_phpnuke
=> `sess_31337_phpnuke'
Resolving celular.gratishost.com... done.
Connecting to celular.gratishost.com[66.115.176.138]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17,857 [text/plain]

0K .......... ....... 100%
125.46 KB/s

20:04:35 (125.46 KB/s) - `sess_31337_phpnuke' saved [17857/17857]

--------------------------------------------------------------------------------------------------------------

So apache is downloading these files from a remote host and coping them
to the /tmp directory?
Anonyone can help me to find how I stop that?

thanks a lot.

gandoura_mehdi@yahoo.fr wrote:

>
> So i searched for the programm who is making them. I found in the
> apache "error_log" file these lines:
>
>
--------------------------------------------------------------------------------------------------------------
>
> [Fri Nov 18 17:57:08 2005] [notice] Apache/1.3.33 (Unix) PHP/4.4.0
> configured -- resuming normal operations
> [Fri Nov 18 17:57:08 2005] [notice] suEXEC mechanism enabled (wrapper:
> /usr/local/apache/bin/suexec)
> [Fri Nov 18 17:57:08 2005] [notice] Accept mutex: flock (Default:
> flock)
> --20:04:31-- http://celular.gratishost.com/sess_31337_phpnuke
> => `sess_31337_phpnuke'
> Resolving celular.gratishost.com... done.
> Connecting to celular.gratishost.com[66.115.176.138]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 17,857 [text/plain]

I had a quick look at the file - it looks like the phpIncludeWorm
(http://isc.sans.org/diary.php?date=2004-12-27) This exploits VERY BADLY
WRITTEN PHP scripts.

You should certainly consider that the user account under which apache runs
to be compromised, and should be checking your Intrusion Detection System
and checking for rootkits. I'd recommend a complete reformat/restore.

Note that the reason your system was vulnerable was because your PHP config
is not adequately secure for the quality of code being published on it. For
closed development its OK to run with the defaults, even to enable things
like register_globals, as long as your developers know what they are doing.
If you are running other peoples code on your server you should have
register_globals disabled, and should be using open_basedir constraints.
You should also have suexec disabled. Securing a PHP installation is well
documented on the internet.

C.