Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Security issue - pget file in /tmp

Discussion in 'Security' started by jols, Dec 5, 2006.

  1. jols

    jols Well-Known Member

    Mar 13, 2004
    Likes Received:
    Trophy Points:
    Over the past 10 days or so we keep finding this file in the /tmp directory:

    file name - pget

    file content:


    use IO::Socket;
    use strict;
    use warnings;
    $ARGV[0] =~ m,http://([^/]+)/(.+),;
    my $server = $1; my $path = $2;
    my $socket = new IO::Socket::INET(Proto => 'tcp', PeerAddr => $server, PeerPort => 80) or die "Can't connect\n";
    print $socket "GET /$path HTTP/1.0\r\nHost: $server\r\n\r\n";
    my $input = <$socket>;
    die "Error, got: $input" unless $input =~ /200 OK/;
    my $start = undef;
    while ($input = <$socket>) {
    if ($start) {
    print $input;
    elsif ($input =~ m/^\r\n$/) {
    $start =1;


    We have secured our tmp directories, so running this file produces this result:

    # ./pget
    # -bash: ./pget: Permission denied

    Does anyone have an idea of what this may be all about?
  2. randomuser

    randomuser Well-Known Member

    Jun 25, 2005
    Likes Received:
    Trophy Points:
    Now you can go slap|choke|punch everyone who ever wrote or told you about "securing" /tmp, leading you to believe that there is something inherently "secure" about making it noexec,nosuid,nodev etc. Can it be written to? Yes. Therefore it is not secure.

    Search the forums for:
    +hacked +tmp
    +hack +tmp

    and you will find a ton of info about how this could have happened, how files can still be executed in tmp by calling command interpreters such as perl and the like, and how to go about locating the cause of the attack.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice