The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/var/tmp Spammers Delight - HOW TO Secure

Discussion in 'General Discussion' started by Planet_Master, Aug 22, 2005.

  1. Planet_Master

    Planet_Master Well-Known Member

    Joined:
    Apr 18, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Yorker
    So many tutorials on securing and making your /tmp non executable but /var/tmp can be used just as easily for spammers and hackers to run malicious scripts and can really do damage to your system. First and foremost is running php apps like phpBB, make sure you make users aware to keep these programs updated to the latest versions. In reality you should do this yourself before any problems arise and use WHMs Addon Script Manager to update all php apps running on your servers. It is so important to keep your software updated as most times update releases are either for bugs and more importantly security fixes.

    So I had a spammer blow 5000 emails from the /var/tmp sending these emails as nobody of course. In this case it was caught immediately as all the emails were returned undeliverable. When I noticed the excessive email load I first had to figure out were it was coming from.

    Upon logging into the server I was able to locate the following malicious processes running as the user nobody:
    Code:
    nobody   31385  0.0  0.0  1452    4 ?        S    Aug20   0:00 bash
    
    nobody    4566  0.0  0.0  1456    4 ?        S    00:17   0:00 ./cgi
    
    nobody    4575  0.0  0.0  2160  104 ttyp0    S    00:17   0:00 sh -i
    
    nobody   13500  4.8  0.0  1428  184 ttyp0    R    01:02   0:54 ./f3 200.147.128.xxx 65535 10000

    The processes seem to be running from /var/tmp:

    Code:
    root@server [~]# lsof -p 13500 | head -n 4
    
    COMMAND   PID   USER   FD   TYPE     DEVICE      SIZE     NODE NAME
    
    f3      13500 nobody  cwd    DIR        3,3      4096   245935 /var/tmp
    
    f3      13500 nobody  rtd    DIR        3,1      4096        2 /
    
    f3      13500 nobody  txt    REG        3,3     18132   245809 /var/tmp/f3

    I entered /var/tmp and saw a host of files that werent supposed to be there and I knew right away here is the problem. I first deleted all the files except for mysql.sock, which really is the only file that should be in there, and the checked permissions:

    Code:
    root@server [/var/tmp]# ls -l
    
    -rwxrwxr-x    1 nobody   nobody      18132 Aug 22 00:02 f3*
    No good to have this folder under nobody, insecure.
    So in order to prevent future problems I did the following:
    I killed the malicious processes, deleted all the malicious files, removed the permissions on the f3 binary and set its owner to root:root, and restricted access for the wget command to the root user only.

    This is a basic and simple way to secure this folder and your server but is very effective. So if you are using a /var/tmp with nobody permissions, I suggest modifying as above and save yourself some future headaches.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The simplest way to secure /var/tmp is to delete it and its contents and then create a symlink to /tmp. That way you only have to worry about a single point of security with /tmp
     
  3. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    /scripts/securetmp already do this? or it is an extra work that we've to do to secure the directory ?
     
  4. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    The securetmp script does that and ANY GOOD guide will recommend you do the same thing.
     
  5. ilbin

    ilbin Member

    Joined:
    Apr 12, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Even so, with the phpbb's of the world, malicious scripts seem to find their way to tmp directories. What thoughts do you folks have about the idea of chown root:root and chmod 000 for any filenames the script kiddies happen to successfully place there.

    It's a band-aide approach, but I'm not sure the scripts push different filenames if they encounter that kind of obstacle.

    Any downsides you can think of?
     
  6. astopy

    astopy Well-Known Member

    Joined:
    Apr 3, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I've tried that, and it doesn't really work. It is trivial for them to try a new file name, so all it does is make it harder for you to spot these files when they're created.
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    vi /etc/fstab

    Ensue your /tmp partition is set to: noexec, nosuid

    Symlink /var/tmp

    =)
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I agree with Odhinn, you're going to end up chasing your own tail trying to keep up with that approach. I very good set of mod_security rules certainly goes a long way to helping. Something like:
    http://www.gotroot.com/mod_security+rules
     
Loading...

Share This Page