The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

udp.pl doom

Discussion in 'General Discussion' started by cretu, Oct 23, 2005.

  1. cretu

    cretu Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    208
    Likes Received:
    0
    Trophy Points:
    16
    Hi there,

    Recently, we are being hit with lots of "udp.pl" programs being installed and ran from /tmp. The servers are running secure versions of aps... We do have firewall, Mod Security, security settings tweak and such.

    How do we stop "udp.pl"? Is there a snippet we could use for Mod Security?

    Thank you.

    Cretu
     
  2. Blue|Fusion

    Blue|Fusion Well-Known Member

    Joined:
    Sep 12, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Cleveland, Ohio
    Mount /tmp with noexec,nosuid,nodev permissions.
     
  3. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Hi Cretu, check out my mod_security configuration:

    http://www.hostmerit.com/modsec.user.conf

    Unfortunately the above will not help at all, you can easily still run php and perl execute programs, and have outgoing dos attacks as a result (What udp.pl is UDP outgoing data flood)

    I'd suggest if not using my custom ruleset, then try:

    SecFilter "wget"
    SecFilter "&cmd="
    SecFilter "udp.pl"
    SecFilter "perl\x20"
    SecFilter "udp.txt"
    SecFilter "cd /tmp"
    SecFilter "perl\x20udp\.pl"
    SecFilter "perl\x20udp\.txt"

    Good luck, and remember to killall -9 httpd perl php after redoing your ruleset, then /etc/init.d/httpd startssl to kill any active attacks outgoing.

    You can also do :

    ps -u nobody

    Get the running commands - Look for variances from the normal httpd, melange, and possibly proftp, usually

    eggdrop, php, or perl will be the files that they're running. To the left of the process, you should see a number, this is called the PROCESS ID (pid)

    Take for instance:
    root@julia [~] ps -u nobody
    PID TTY TIME CMD
    15103 ? 00:00:00 entropychat

    If I wanted to find the details, I could change dir's to /proc/15103

    Go to /proc/PROCESSID and do ls -al

    Example:

    root@julia [/proc/614]# ls -al
    total 0
    dr-x------ 3 nobody nobody 0 Oct 24 01:45 ./
    dr-xr-xr-x 263 root root 0 Oct 17 14:42 ../
    dr-xr-xr-x 2 root root 0 Oct 24 01:46 attr/
    -r-------- 1 root root 0 Oct 24 01:46 auxv
    -r--r--r-- 1 root root 0 Oct 24 01:45 cmdline
    lrwxrwxrwx 1 root root 0 Oct 24 01:46 cwd -> /home/xxxx/public_html/
    -r-------- 1 root root 0 Oct 24 01:45 environ
    lrwxrwxrwx 1 root root 0 Oct 24 01:46 exe -> /usr/local/apache/bin/httpd*
    dr-x------ 2 root root 0 Oct 24 01:46 fd/

    If you do not see a symbolic link like /home/xxx/public_html/scriptdir/exploitable.php etc etc, try cat environ once in the directory, and look for PWD / OLD_PWD , these will be where they're launched from.

    Let me know how this goes.
     
Loading...

Share This Page