The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

malicious files in /var/spool/mail/

Discussion in 'E-mail Discussions' started by Ben, Feb 22, 2004.

  1. Ben

    Ben Well-Known Member

    Joined:
    Aug 19, 2002
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    More and more we are seeing mailicious files uploaded to our server. This is usually through the use of an insecure PHP script. To combat this, we mounted /tmp noexec. This prevents 95% of the scripts from ever being run. Some of the more experienced crackers however just move the files to a directory chmod'ed to 777. Normally I then just chmod the directory to 755, which at least stops them from from using that directory again.

    I'm writing because they now appear to be using the /var/spool/mail/ directory. This directories permissions are

    drwxrwxrwt

    so I don't think that chmod'ing it to 755 is the correct answer. Much as I had done with /var/tmp/ I thought about symlinking the /var/spool/mail/ directory to /tmp as well.

    Does anyone know of the ramifications of such a fix? Anyone tried it before? Comments?
     
Loading...

Share This Page