Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security issue - pget file in /tmp

Discussion in 'Security' started by jols, Dec 5, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Over the past 10 days or so we keep finding this file in the /tmp directory:

    file name - pget

    file content:

    ---------------------------------------

    #!/usr/bin/perl
    use IO::Socket;
    use strict;
    use warnings;
    $ARGV[0] =~ m,http://([^/]+)/(.+),;
    my $server = $1; my $path = $2;
    my $socket = new IO::Socket::INET(Proto => 'tcp', PeerAddr => $server, PeerPort => 80) or die "Can't connect\n";
    print $socket "GET /$path HTTP/1.0\r\nHost: $server\r\n\r\n";
    my $input = <$socket>;
    die "Error, got: $input" unless $input =~ /200 OK/;
    my $start = undef;
    while ($input = <$socket>) {
    if ($start) {
    print $input;
    }
    elsif ($input =~ m/^\r\n$/) {
    $start =1;
    }
    }

    ---------------------------------------

    We have secured our tmp directories, so running this file produces this result:

    # ./pget
    # -bash: ./pget: Permission denied


    Does anyone have an idea of what this may be all about?
     
    #1 jols, Dec 5, 2006
  2. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    166
    Now you can go slap|choke|punch everyone who ever wrote or told you about "securing" /tmp, leading you to believe that there is something inherently "secure" about making it noexec,nosuid,nodev etc. Can it be written to? Yes. Therefore it is not secure.

    Search the forums for:
    +hacked +tmp
    +hack +tmp

    and you will find a ton of info about how this could have happened, how files can still be executed in tmp by calling command interpreters such as perl and the like, and how to go about locating the cause of the attack.
     
    #2 randomuser, Dec 5, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - Security issue pget
  1. efuzone

    Email Security Issues

    efuzone, Mar 19, 2018, in forum: E-mail Discussions
    Replies:
    1
    Views:
    94
    cPanelMichael
    Mar 20, 2018
  2. Clixer

    Does memcached pose any security issues?

    Clixer, Mar 5, 2018, in forum: Security
    Replies:
    3
    Views:
    110
    Clixer
    Mar 6, 2018
  3. ciao70

    Security Issue letsencrypt

    ciao70, Jan 10, 2018, in forum: Security
    Replies:
    2
    Views:
    159
    ciao70
    Jan 10, 2018
  4. Nile Youth

    SOLVED Message was blocked because its content presents a potential security issue

    Nile Youth, Dec 21, 2017, in forum: E-mail Discussions
    Replies:
    12
    Views:
    3,615
    cPanelMichael
    Feb 12, 2018
  5. Boris Horvat

    cPanel Security Advisor Issue

    Boris Horvat, Mar 1, 2017, in forum: Security
    Replies:
    22
    Views:
    2,194
    cPanelMichael
    Apr 25, 2017

Share This Page