On Wed, 2007-05-16 at 13:23 -0700, Marc Perkel wrote: > I'm somewhat sue the problem is apache related because the files that > end up there are owned by user apache.
All that means is that the intrusion is most likely happening via a process running as the apache user. In the vast majority of cases that means the intrusion is taking place via something served up by your webserver. I'll take a punt: you have a customer with something like wordpress (or other blog engine), phpbb or vbulletin (or some other forum application), some sort of CMS like drupal, or something else written in PHP which is being handled by mod_php loaded up as an Apache module. Someone knows that's the case and is driving a bus through the holes the application contains (or, to keep the house analogy going, they know of a hole in your screen door that you haven't bothered to fix yet; you lock the screen door but leave the internal one behind it on the latch. Or something...) [Update: you're using squirrelmail, which is written in PHP, but you are at least up-to-date with that.] Your problem is almost certainly not directly related to Apache. You appear to be providing hosting as a business. You need to ensure your customers keep their PHP applications patched and up-to-date in order to keep your server(s) secure. I'll say it again - your problem is almost certainly not directly related to Apache. There are many ways you can mitigate, but not remove, these PHP related problems. The first is to stop running PHP as a module and take the performance hit of running it as a CGI. That way, if you get clobbered by an intrusion, you should know *exactly* which user (and therefore site) caused it. Please take the time to read up on how to do it. It's not hard. Graeme --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
