cgi script added to tmp directory

I had a problem with a hacker adding a cgi script to my tmp directory on my hosting account. My hosting company found the script immediately and no problems arose.

I use php but not cgi so I had them turn off cgi. They say they don't know how the script was added. They say I have a update my script immediately. Well I don't use cgi so I now its not a problem there, uless I've got a hole in a php script that allows a cgi script to be posted.

Does anyone know the most common ways cgi scipts are hacked into tmp directories so I know where to look for this hole?

Thanks,

Fr. Robert

How? most likely through a badly written application ( PHP apps would be the first place to look ). Unless you've got the webserver logs etc for the time of the attack ( & any half-intelligent attacker is going to remove them ), there's not much else anyone can say, apart from make sure every app. you're running is upgraded.

--Simon

The most common scripts used like that are bouncers for anonymizing traffic (and sending spam). The way they get in is usually through well-known security holes in common php programs.

Are you using: phpBB, phpNuke, vBulletin, WordPress, MediaWiki or any software like that and you did not upgrade within the last weeks?

But it could be just as well any other source. One of your own scripts, a script from a different customer, a security problem with your ISP, ...

To find out, you'd need root access and probably you'd have to do some auditing and hope the guy tries again so you catch him in the act.

HTH,
M.

Do you allow uploding of any graphics or anything? http://www.dadaimc.org/mod/software/alerts/dadaIMC/index.php?alert=1