Daily /tmp issues crashing box

[WeMasterz5]

ok... this is getting silly.... dont mind me I am getting frustrated with this

have done most if everything from these forums to secure server.. the last week or so I am getting files written to the /tmp dir that is doing something to crash the server


-rw-r--r-- 1 nobody nobody 110 Jun 23 16:32 own.c

int getuid() { return 0; }
int geteuid() { return 0; }
int getgid() { return 0; }
int getegid() { return 0; }



-rwxr-xr-x 1 nobody nobody 4587 Jun 23 16:31 own.so*
--wxrw--wt 1 nobody nobody 19258 Jun 23 16:29 r0nin*


suggestions... please

 

[jpetersen]

ok... this is getting silly.... dont mind me I am getting frustrated with this

have done most if everything from these forums to secure server.. the last week or so I am getting files written to the /tmp dir that is doing something to crash the server


-rw-r--r-- 1 nobody nobody 110 Jun 23 16:32 own.c

int getuid() { return 0; }
int geteuid() { return 0; }
int getgid() { return 0; }
int getegid() { return 0; }



-rwxr-xr-x 1 nobody nobody 4587 Jun 23 16:31 own.so*
--wxrw--wt 1 nobody nobody 19258 Jun 23 16:29 r0nin*


suggestions... please

haha.. people are still using lsroot.c I see. Your box is getting forkbombed by a clueless ./kiddie who is likely exploiting a web application (as noted by the uid.gid nobody.nobody), and thinks that they're rooting your box when running the "own" script (or, more specifically, whatever script that is creating the own.so shared object).

See this: interesting

and you can either hire an admin to figure out how the attacker is accessing your box (recommended), or start digging through your domain logs for activity on June 23rd around 16:29 - 16:31. Let us know if you find anything interesting!

 

[PlatinumServerM]

First thing you should do is install suphp to track which account they are coming from, so instead of them being owned by 'nobody' it will show the actual account. That will narrow it down to the account that has the vulnerabilities in it.

 

[Spiral]

have done most if everything from these forums to secure server..

No you haven't! :D

I can tell from the rest of your post, you have at several separate security
holes that obviously haven't been closed yet although there are plenty of
posts around here describing both which ironically I posted on those very
same topics just within this past week.

Like PlatinumServerM said above, switch your PHP from DSO over to SuPHP
and then make your /tmp partition non-executable and disallow escalations
(yes I've posted on both of those recently as well - look at my old posts)

Wouldn't hurt to throw in a mod_security rule or two either to go ahead and
block the requests from the obvious bonehead newb wannabe hacker.

If you would like more one on one assistance to more aggressively attack
these issues and maybe close out more hidden problems then contact me
and I'll be glad to give you a hand with that.

In the meantime, I would suggest addressing the items I listed above and
reading through some of my prior posts as that should give you a wealth
of more information as to how to address those items and secure other
parts of your server, etc.

 

[netlook]

Make /tmp noexec, disable php system functions

 

[jpetersen]

Like PlatinumServerM said above, switch your PHP from DSO over to SuPHP
and then make your /tmp partition non-executable and disallow escalations
(yes I've posted on both of those recently as well - look at my old posts)

If suPHP is being used, then it isn't necessary to use /tmp for any attacks that require execve() and friends. The same goes for attacks that require suid/sgid functionality. How many people actually have /home mounted as a separate partition, and have it mounted nosuid (and possibly noexec)? And what about checking the other partitions for world writeable locations which could be used to bypass noexec and nosuid restrictions? "securing" /tmp is not a means to and end, but is just 1 piece of larger set of actions requried to achieve the desired results.

If you would like more one on one assistance to more aggressively attack
these issues and maybe close out more hidden problems then contact me
and I'll be glad to give you a hand with that.

Giving random people access to your server is a really bad idea. There has been a number of posts from the Spiral account over the years asking for people to provide access to their servers. If you want to help close out more hidden problems, why not create a publicly available tutorial for things to look for that will help people to help themselves, and that everyone can learn from?



edit: http://www.webhostingtalk.com/showthread.php?p=4637475

This is why you don't give random people access to your box. Go with an established server administration company.

 

[jeffcougsfan]

I'm also having issues with a user "nobody" using up all the ram on the server and crashing it - about 5 times a day recently.

If I install this suPHP, will I be able to see which site of mine is hosting this problem?

Also, can I get some support on installing suPHP? I'm a newb.

 

[logicsupport]

You can install suphp using " /scripts/easyapache "

Advantages of using Suphp

php handler should be CGI ( php files run under the user ownership only )

644 permission is enough to execute files.

No need of full permission to upload files using php

But php variables cant be declared through .htaccess, rather you have to create a separate php.ini file under users document root.