The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security issue - pget file in /tmp

Discussion in 'Security' started by jols, Dec 5, 2006.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    168
    Over the past 10 days or so we keep finding this file in the /tmp directory:

    file name - pget

    file content:

    ---------------------------------------

    #!/usr/bin/perl
    use IO::Socket;
    use strict;
    use warnings;
    $ARGV[0] =~ m,http://([^/]+)/(.+),;
    my $server = $1; my $path = $2;
    my $socket = new IO::Socket::INET(Proto => 'tcp', PeerAddr => $server, PeerPort => 80) or die "Can't connect\n";
    print $socket "GET /$path HTTP/1.0\r\nHost: $server\r\n\r\n";
    my $input = <$socket>;
    die "Error, got: $input" unless $input =~ /200 OK/;
    my $start = undef;
    while ($input = <$socket>) {
    if ($start) {
    print $input;
    }
    elsif ($input =~ m/^\r\n$/) {
    $start =1;
    }
    }

    ---------------------------------------

    We have secured our tmp directories, so running this file produces this result:

    # ./pget
    # -bash: ./pget: Permission denied


    Does anyone have an idea of what this may be all about?
     
    #1 jols, Dec 5, 2006
  2. randomuser

    randomuser Well-Known Member

    Joined:
    Jun 25, 2005
    Messages:
    147
    Likes Received:
    0
    Trophy Points:
    166
    Now you can go slap|choke|punch everyone who ever wrote or told you about "securing" /tmp, leading you to believe that there is something inherently "secure" about making it noexec,nosuid,nodev etc. Can it be written to? Yes. Therefore it is not secure.

    Search the forums for:
    +hacked +tmp
    +hack +tmp

    and you will find a ton of info about how this could have happened, how files can still be executed in tmp by calling command interpreters such as perl and the like, and how to go about locating the cause of the attack.
     
    #2 randomuser, Dec 5, 2006
(You must log in or sign up to post here.)
Loading...
Similar Threads - Security issue pget
  1. Boris Horvat

    cPanel Security Advisor Issue

    Boris Horvat, Mar 1, 2017, in forum: Security
    Replies:
    22
    Views:
    1,025
    cPanelMichael
    Apr 25, 2017
  2. Rodrigo Gomes

    Possible security issue with Jailed Apache?

    Rodrigo Gomes, Jan 26, 2017, in forum: Security
    Replies:
    6
    Views:
    410
    Rodrigo Gomes
    Feb 2, 2017
  3. Spork Schivago

    Issues with modsecurity OWASP and false positives.

    Spork Schivago, Jul 18, 2016, in forum: Security
    Replies:
    41
    Views:
    3,406
    Spork Schivago
    Jun 14, 2017
  4. adtastichosting

    issue with modesecurity not enabling some owasp rules

    adtastichosting, Jul 17, 2016, in forum: Security
    Replies:
    4
    Views:
    573
    adtastichosting
    Jul 25, 2016
  5. wert

    Does the public_html/error_log file pose any security issues?

    wert, May 12, 2016, in forum: Security
    Replies:
    4
    Views:
    724
    cPanelMichael
    May 27, 2016

Share This Page