udp.pl doom

Mount /tmp with noexec,nosuid,nodev permissions.

 

Hi Cretu, check out my mod_security configuration:

http://www.hostmerit.com/modsec.user.conf

Unfortunately the above will not help at all, you can easily still run php and perl execute programs, and have outgoing dos attacks as a result (What udp.pl is UDP outgoing data flood)

I'd suggest if not using my custom ruleset, then try:

SecFilter "wget"
SecFilter "&cmd="
SecFilter "udp.pl"
SecFilter "perl\x20"
SecFilter "udp.txt"
SecFilter "cd /tmp"
SecFilter "perl\x20udp\.pl"
SecFilter "perl\x20udp\.txt"

Good luck, and remember to killall -9 httpd perl php after redoing your ruleset, then /etc/init.d/httpd startssl to kill any active attacks outgoing.

You can also do :

ps -u nobody

Get the running commands - Look for variances from the normal httpd, melange, and possibly proftp, usually

eggdrop, php, or perl will be the files that they're running. To the left of the process, you should see a number, this is called the PROCESS ID (pid)

Take for instance:
root@julia [~] ps -u nobody
PID TTY TIME CMD
15103 ? 00:00:00 entropychat

If I wanted to find the details, I could change dir's to /proc/15103

Go to /proc/PROCESSID and do ls -al

Example:

root@julia [/proc/614]# ls -al
total 0
dr-x------ 3 nobody nobody 0 Oct 24 01:45 ./
dr-xr-xr-x 263 root root 0 Oct 17 14:42 ../
dr-xr-xr-x 2 root root 0 Oct 24 01:46 attr/
-r-------- 1 root root 0 Oct 24 01:46 auxv
-r--r--r-- 1 root root 0 Oct 24 01:45 cmdline
lrwxrwxrwx 1 root root 0 Oct 24 01:46 cwd -> /home/xxxx/public_html/
-r-------- 1 root root 0 Oct 24 01:45 environ
lrwxrwxrwx 1 root root 0 Oct 24 01:46 exe -> /usr/local/apache/bin/httpd*
dr-x------ 2 root root 0 Oct 24 01:46 fd/

If you do not see a symbolic link like /home/xxx/public_html/scriptdir/exploitable.php etc etc, try cat environ once in the directory, and look for PWD / OLD_PWD , these will be where they're launched from.

Let me know how this goes.