I have serious problems with ".cgi" with malicious code, with that the person who has these files to send spam through my server without any kind of block, could block this type of send SPAM with files ".cgi"?
Make sure that Apache is compiled as Suexec ( When compiling Apache, you should include suexec to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls )
We also recommend compiling Apache + PHP with Suphp. Suphp forces all PHP scripts to run as the user who owns the script. This means that you will be able to identify the owner of all PHP scripts running on your server. If one is malicious, you will be able to find itís owner quickly and resolve the issue.
Install Mod_security ( One of the best tools for preventing malicious Apache use ,is mod_security)
Confirm /tmp is secured
Scan the server thoroughly using latest scanning tools
You need to check the Apache logs and domlogs to find how the script has been uploaded to the server. So that we can close that vulnerability and prevent it from further happening.
All the above installations and scanning can be done with out any downtime
Hope this info helps
SupportExpertz.com - the name says it all!
Managed Cloud Servers
Server Management and Monitoring
24x7 outsourced customer support
identify is not problen, i have instaled mod_security but how to configure to mod_security stop run this tip of file? i have onde salved if I send this file to forum u analise for me? or help-me to configure mod_security.
If the account which contained the malicious CGI code was hacked, I would suggest you to check the server logs to find how it was injected.
If it is via FTP, change the mode to passive, tighten the f/w rules. If it was via SSH, disable direct root login and grant bash only for potential customers if it is a shared hosting (that too jailed shell).
mod_security uses string comparison and its difficult to find dynamic contents. All you can do is to configure mod_sec with common abuse strings