I have a web server that is running many different sites (standard vhosts setup, most sites are Joomla based, a few wordpress and other non-CMS sites) in a Parallels Automation 11.5 environment. The version of apache on the web server, is 2.2.15, and the same problem is happening across multiple PHP versions.
Our websites have been getting hacked quite a bit, and are being to turn our server into an email spambot. From what I can tell so far, is that a malicious person is able to upload a PHP file, generally to the docroot, but sometimes to the images folder following a wn.php (w12345678n.php) naming pattern and from what I can tell it's the WSO Web Shell. The person then seems to use that web shell to add inject/malicious code to the rest of the site.
The thing that strikes me as odd, is that these sites are being run as FastCGI, so all of the files are owned by the FTP User of the particular account (bob_ftp etc), but the WSO shell php file is being put onto the web server under apache:apache ownership.
I'm guessing that the files are being added via some sort of apache vulnerability but I haven't had much luck in tracking down the culprit. Could someone please point me in the direction of how I can lock down these shenanigans? Preferably by closing the vulnerability, but at this point I just want some way of mitigating the damage so I don't have to waste so much time on it.
