The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Daily /tmp issues crashing box

Discussion in 'General Discussion' started by WeMasterz5, Jun 23, 2009.

  1. WeMasterz5

    WeMasterz5 Well-Known Member

    Joined:
    Feb 24, 2003
    Messages:
    361
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Miami
    ok... this is getting silly.... dont mind me I am getting frustrated with this

    have done most if everything from these forums to secure server.. the last week or so I am getting files written to the /tmp dir that is doing something to crash the server


    -rw-r--r-- 1 nobody nobody 110 Jun 23 16:32 own.c

    int getuid() { return 0; }
    int geteuid() { return 0; }
    int getgid() { return 0; }
    int getegid() { return 0; }



    -rwxr-xr-x 1 nobody nobody 4587 Jun 23 16:31 own.so*
    --wxrw--wt 1 nobody nobody 19258 Jun 23 16:29 r0nin*


    suggestions... please
     
  2. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18

    haha.. people are still using lsroot.c I see. Your box is getting forkbombed by a clueless ./kiddie who is likely exploiting a web application (as noted by the uid.gid nobody.nobody), and thinks that they're rooting your box when running the "own" script (or, more specifically, whatever script that is creating the own.so shared object).

    See this: interesting

    and you can either hire an admin to figure out how the attacker is accessing your box (recommended), or start digging through your domain logs for activity on June 23rd around 16:29 - 16:31. Let us know if you find anything interesting!
     
    #2 jpetersen, Jun 23, 2009
    Last edited: Jun 23, 2009
  3. PlatinumServerM

    PlatinumServerM Well-Known Member
    PartnerNOC

    Joined:
    Jul 10, 2005
    Messages:
    397
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    New Jersey, USA
    cPanel Access Level:
    Root Administrator
    First thing you should do is install suphp to track which account they are coming from, so instead of them being owned by 'nobody' it will show the actual account. That will narrow it down to the account that has the vulnerabilities in it.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    No you haven't! :D

    I can tell from the rest of your post, you have at several separate security
    holes that obviously haven't been closed yet although there are plenty of
    posts around here describing both which ironically I posted on those very
    same topics just within this past week.

    Like PlatinumServerM said above, switch your PHP from DSO over to SuPHP
    and then make your /tmp partition non-executable and disallow escalations
    (yes I've posted on both of those recently as well - look at my old posts)

    Wouldn't hurt to throw in a mod_security rule or two either to go ahead and
    block the requests from the obvious bonehead newb wannabe hacker.

    If you would like more one on one assistance to more aggressively attack
    these issues and maybe close out more hidden problems then contact me
    and I'll be glad to give you a hand with that.

    In the meantime, I would suggest addressing the items I listed above and
    reading through some of my prior posts as that should give you a wealth
    of more information as to how to address those items and secure other
    parts of your server, etc.
     
    #4 Spiral, Jun 26, 2009
    Last edited: Jun 26, 2009
  5. netlook

    netlook Well-Known Member
    PartnerNOC

    Joined:
    Mar 25, 2004
    Messages:
    335
    Likes Received:
    0
    Trophy Points:
    16
    Make /tmp noexec, disable php system functions
     
  6. jpetersen

    jpetersen Well-Known Member

    Joined:
    Dec 31, 2006
    Messages:
    113
    Likes Received:
    4
    Trophy Points:
    18
    If suPHP is being used, then it isn't necessary to use /tmp for any attacks that require execve() and friends. The same goes for attacks that require suid/sgid functionality. How many people actually have /home mounted as a separate partition, and have it mounted nosuid (and possibly noexec)? And what about checking the other partitions for world writeable locations which could be used to bypass noexec and nosuid restrictions? "securing" /tmp is not a means to and end, but is just 1 piece of larger set of actions requried to achieve the desired results.

    Giving random people access to your server is a really bad idea. There has been a number of posts from the Spiral account over the years asking for people to provide access to their servers. If you want to help close out more hidden problems, why not create a publicly available tutorial for things to look for that will help people to help themselves, and that everyone can learn from?



    edit: http://www.webhostingtalk.com/showthread.php?p=4637475

    This is why you don't give random people access to your box. Go with an established server administration company.
     
    #6 jpetersen, Jun 26, 2009
    Last edited: Jun 26, 2009
  7. jeffcougsfan

    jeffcougsfan Registered

    Joined:
    Jun 26, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I'm also having issues with a user "nobody" using up all the ram on the server and crashing it - about 5 times a day recently.

    If I install this suPHP, will I be able to see which site of mine is hosting this problem?

    Also, can I get some support on installing suPHP? I'm a newb.
     
  8. logicsupport

    logicsupport Well-Known Member

    Joined:
    Jun 5, 2007
    Messages:
    138
    Likes Received:
    0
    Trophy Points:
    16
    You can install suphp using " /scripts/easyapache "

    Advantages of using Suphp

    php handler should be CGI ( php files run under the user ownership only )

    644 permission is enough to execute files.

    No need of full permission to upload files using php

    But php variables cant be declared through .htaccess, rather you have to create a separate php.ini file under users document root.
     
Loading...

Share This Page