Security issue - pget file in /tmp

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Over the past 10 days or so we keep finding this file in the /tmp directory:

file name - pget

file content:

---------------------------------------

#!/usr/bin/perl
use IO::Socket;
use strict;
use warnings;
$ARGV[0] =~ m,http://([^/]+)/(.+),;
my $server = $1; my $path = $2;
my $socket = new IO::Socket::INET(Proto => 'tcp', PeerAddr => $server, PeerPort => 80) or die "Can't connect\n";
print $socket "GET /$path HTTP/1.0\r\nHost: $server\r\n\r\n";
my $input = <$socket>;
die "Error, got: $input" unless $input =~ /200 OK/;
my $start = undef;
while ($input = <$socket>) {
if ($start) {
print $input;
}
elsif ($input =~ m/^\r\n$/) {
$start =1;
}
}

---------------------------------------

We have secured our tmp directories, so running this file produces this result:

# ./pget
# -bash: ./pget: Permission denied


Does anyone have an idea of what this may be all about?
 

randomuser

Well-Known Member
Jun 25, 2005
147
0
166
Now you can go slap|choke|punch everyone who ever wrote or told you about "securing" /tmp, leading you to believe that there is something inherently "secure" about making it noexec,nosuid,nodev etc. Can it be written to? Yes. Therefore it is not secure.

Search the forums for:
+hacked +tmp
+hack +tmp

and you will find a ton of info about how this could have happened, how files can still be executed in tmp by calling command interpreters such as perl and the like, and how to go about locating the cause of the attack.