Community Forums
Connect with us on LinkedIn
udp.pl doom
  
+ Reply to Thread
Results 1 to 3 of 3
  1. 10-23-2005 08:54 PM #1
    cretu
    cretu is offline
    Member
    Join Date
    Jul 2002
    Posts
    214

    Default udp.pl doom

    Hi there,

    Recently, we are being hit with lots of "udp.pl" programs being installed and ran from /tmp. The servers are running secure versions of aps... We do have firewall, Mod Security, security settings tweak and such.

    How do we stop "udp.pl"? Is there a snippet we could use for Mod Security?

    Thank you.

    Cretu
    Reply With Quote Reply With Quote
  2. 10-23-2005 10:02 PM #2
    Blue|Fusion
    Blue|Fusion is offline
    Member
    Join Date
    Sep 2004
    Location
    Cleveland, Ohio
    Posts
    378
    Send a message via AIM to Blue|Fusion Send a message via MSN to Blue|Fusion

    Default

    Mount /tmp with noexec,nosuid,nodev permissions.
    Reply With Quote Reply With Quote
  3. 10-24-2005 12:47 AM #3
    HostMerit
    HostMerit is offline
    Member
    Join Date
    Oct 2004
    Location
    New Jersey, USA
    Posts
    160
    Send a message via AIM to HostMerit

    Thumbs up

    Hi Cretu, check out my mod_security configuration:

    http://www.hostmerit.com/modsec.user.conf

    Unfortunately the above will not help at all, you can easily still run php and perl execute programs, and have outgoing dos attacks as a result (What udp.pl is UDP outgoing data flood)

    I'd suggest if not using my custom ruleset, then try:

    SecFilter "wget"
    SecFilter "&cmd="
    SecFilter "udp.pl"
    SecFilter "perl\x20"
    SecFilter "udp.txt"
    SecFilter "cd /tmp"
    SecFilter "perl\x20udp\.pl"
    SecFilter "perl\x20udp\.txt"

    Good luck, and remember to killall -9 httpd perl php after redoing your ruleset, then /etc/init.d/httpd startssl to kill any active attacks outgoing.

    You can also do :

    ps -u nobody

    Get the running commands - Look for variances from the normal httpd, melange, and possibly proftp, usually

    eggdrop, php, or perl will be the files that they're running. To the left of the process, you should see a number, this is called the PROCESS ID (pid)

    Take for instance:
    root@julia [~] ps -u nobody
    PID TTY TIME CMD
    15103 ? 00:00:00 entropychat

    If I wanted to find the details, I could change dir's to /proc/15103

    Go to /proc/PROCESSID and do ls -al

    Example:

    root@julia [/proc/614]# ls -al
    total 0
    dr-x------ 3 nobody nobody 0 Oct 24 01:45 ./
    dr-xr-xr-x 263 root root 0 Oct 17 14:42 ../
    dr-xr-xr-x 2 root root 0 Oct 24 01:46 attr/
    -r-------- 1 root root 0 Oct 24 01:46 auxv
    -r--r--r-- 1 root root 0 Oct 24 01:45 cmdline
    lrwxrwxrwx 1 root root 0 Oct 24 01:46 cwd -> /home/xxxx/public_html/
    -r-------- 1 root root 0 Oct 24 01:45 environ
    lrwxrwxrwx 1 root root 0 Oct 24 01:46 exe -> /usr/local/apache/bin/httpd*
    dr-x------ 2 root root 0 Oct 24 01:46 fd/

    If you do not see a symbolic link like /home/xxx/public_html/scriptdir/exploitable.php etc etc, try cat environ once in the directory, and look for PWD / OLD_PWD , these will be where they're launched from.

    Let me know how this goes.
    -Kris
    HostMerit
    'Web Hosting on Your Terms'
    Reply With Quote Reply With Quote
«   Email Root History | DNS Clustering »     
Similar Threads & Tags
Similar threads

  1. UDP 32833 and 32834
    By aleksandr in forum cPanel and WHM Discussions
    Replies: 0
    Last Post: 06-02-2008, 05:12 AM
  2. Udp / Dns ?
    By DjMiX in forum New User Questions
    Replies: 6
    Last Post: 12-23-2005, 05:39 AM
  3. UDP time-out value
    By Def in forum cPanel and WHM Discussions
    Replies: 0
    Last Post: 07-29-2004, 03:52 PM
  4. UDP scripts
    By DigiCrime in forum cPanel and WHM Discussions
    Replies: 0
    Last Post: 04-09-2004, 11:01 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube