Hi there, Recently, we are being hit with lots of "udp.pl" programs being installed and ran from /tmp. The servers are running secure versions of aps... We do have firewall, Mod Security, security settings tweak and such. How do we stop "udp.pl"? Is there a snippet we could use for Mod Security? Thank you. Cretu
Hi Cretu, check out my mod_security configuration: http://www.hostmerit.com/modsec.user.conf Unfortunately the above will not help at all, you can easily still run php and perl execute programs, and have outgoing dos attacks as a result (What udp.pl is UDP outgoing data flood) I'd suggest if not using my custom ruleset, then try: SecFilter "wget" SecFilter "&cmd=" SecFilter "udp.pl" SecFilter "perl\x20" SecFilter "udp.txt" SecFilter "cd /tmp" SecFilter "perl\x20udp\.pl" SecFilter "perl\x20udp\.txt" Good luck, and remember to killall -9 httpd perl php after redoing your ruleset, then /etc/init.d/httpd startssl to kill any active attacks outgoing. You can also do : ps -u nobody Get the running commands - Look for variances from the normal httpd, melange, and possibly proftp, usually eggdrop, php, or perl will be the files that they're running. To the left of the process, you should see a number, this is called the PROCESS ID (pid) Take for instance: root@julia [~] ps -u nobody PID TTY TIME CMD 15103 ? 00:00:00 entropychat If I wanted to find the details, I could change dir's to /proc/15103 Go to /proc/PROCESSID and do ls -al Example: root@julia [/proc/614]# ls -al total 0 dr-x------ 3 nobody nobody 0 Oct 24 01:45 ./ dr-xr-xr-x 263 root root 0 Oct 17 14:42 ../ dr-xr-xr-x 2 root root 0 Oct 24 01:46 attr/ -r-------- 1 root root 0 Oct 24 01:46 auxv -r--r--r-- 1 root root 0 Oct 24 01:45 cmdline lrwxrwxrwx 1 root root 0 Oct 24 01:46 cwd -> /home/xxxx/public_html/ -r-------- 1 root root 0 Oct 24 01:45 environ lrwxrwxrwx 1 root root 0 Oct 24 01:46 exe -> /usr/local/apache/bin/httpd* dr-x------ 2 root root 0 Oct 24 01:46 fd/ If you do not see a symbolic link like /home/xxx/public_html/scriptdir/exploitable.php etc etc, try cat environ once in the directory, and look for PWD / OLD_PWD , these will be where they're launched from. Let me know how this goes.