[mapserver-users] Server hacked via cgi-bin - Mapserver, PHP, …? How to better protect the machine now?
Burgholzer, Robert (DEQ)
Robert.Burgholzer at deq.virginia.gov
Mon Dec 9 04:46:10 PST 2013
Stefan,
I would be interested in information about your case. We had an old node with some outdated CGI stuff (including mapserv) that was compromized a few weeks back, via what appeared to be a CGI issue. We had php in the cgi-bin directory (5.2.13) as well as mapserver 5.6.3. As good fortune had it, I was in the process of migrating stuff from the directories on this old node to a new node at the exact same time as the intruders entry, and managed to capture a few lines from the log before the intruder wiped the logs clean on exit.
It was a very odd experience, I found a file named perl-cgi in the cgi-bin directory as I was listing the cgi-bin contents to verify the mapserv location. I did a quick grep of the logs for the file and found the call to that program with a password argument, and copied it to email our sysadmin guy, by the time that I shut down httpd and returned to scouring the logs, the logs had been wiped. In other words, I was lucky enough to be watching it go down in real time.
Anyhow, we can discuss this off-list if it is not verified that mapserv may have been involved - or on list if there are any others who have had a similar experience in recent times.
/r/b
More information about the mapserver-users
mailing list