Vernon.
If you must stay with Red Hat 7.x then at least go up to 7.3. Unless you are using some HP server that requires drivers that were never upgraded past 7.1 its got two major successor releases for a reason.
Apache must be upgraded with up2date to the lastest stable release at the very least.
Many hackers cover their tracks, some are quite stupid.
Check the last and lastb command and see from whence your hackers came.
They might have jumped on using traditional telnet, but an apache exploit needs to be epxlored.
If found an interesting situation on my Red Hat Server 7.3 before i closed the holes by running Bastille and shutting down telnet.
I found an account called haxor with user id zero.
I didn't put it there.
My hacker set up a form for relaying spam on the server and then stopped using the account, hoping I would not notice. It was the source of most of my spam problems.
I did notice. Look at /etc/passwd for accounts you did not put there. Especially those with root user id. Get rid of them.
You have been hacked very quickly, several times. If you have closed the apache hole look for a user account.
I recommend the following steps:
Installation and regular use of Bastille
Installation and regular reports with tripwire. Tripwire should be run nightly and will notify you of any change in system configuration.
Conduct regular reviews of /etc/passwd and eliminate accounts you can not account for. You can always put the account back if something breaks.
I had an account on my system called ftpuser. Someone was using that account to try and ftp a mailform to my server. This failed because he couldn't make the permissions executable. Once i reset the password on this account that silliness stopped.
I think the root of my problem was that I was using telnet to get on the box from remote locations, quite regularly. Someone sniffed for a password and got the root one, long enough to set up an account. Either that or they got privledges by patching an unupdated service.
The long term answer for me was Red Hat ES 3. It shipped much stronger on a security standpoint than RH 7.x. The only problem thus far is some hardware doesn't have drivers yet and tripwire won't work at all. Still, a lot of the vulnerabilities built into Red Hat 7.x are closed.
The upgrade is possible, and not too painful. You'll need to upgrade httpd.conf to handle the new syntax for your web servers and ssl is a slightly painful migration.
Still, being closer to current on the OS is worth it.
SEP
The junk in your access_log may be an exlpoit, or it may be just junk because apache wasn't patched up nicely.
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
