LinuxQuestions.org - malicious script in tmp

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - malicious script in tmp - (cpanel/fc4) (https://www.linuxquestions.org/questions/linux-security-4/malicious-script-in-tmp-cpanel-fc4-419004/)

malicious script in tmp - (cpanel/fc4)

Hi,
I have a hosting server (cpanel/whm on FC4) with almost 500 accounts.
Till now no security incidence has occurred. Yesterday I found out a perl script in /tmp directory which lunched some sort of DDoS attack ( It sent 20Mbs to different networks on the internet).

Please tell me some guidelines about the way I could protect my server in the future from these kind of attacks. (What could I do, are there any harden tools etc)

Thanks

well don't let people write to /tmp or other directories.

you could also set firewall rules to stop outbound traffic.

if you know who created it, kick and ban them. delete their data.

what is the server for? sounds like a script kiddie, as not that many people have the ability to write cogent perl scripts...

Is the /tmp directory in its own partition? If it is then consider using the "noexec" and "nodev" mount options to mount this, and any other world writeable partition. There is also a nosuid option. Also, check for root kits, and keep tabs on security messages that root gets. ( I assume that there is a service that monitors the system for changes and emails a report once a day )

The March edition of Linux Journel is about security. There are also books on Hardening Linux. Read messages on this site on security. There are websites dedicated to computer security also. Fedora Core uses RPM, so you can check the integrity of your packages with rpm -V. Make sure you have backups you can rely on if the worst happens. Some people will produce md5sums of system directories and the libraries, and save them offline. Then if you suspect an attack, you could compare. There are many other things that can be done, and will probably be suggested by other members on this board.

I forgot the most important thing. That is to keep an eye on the logs. The last program can show you who has logged on. SuSE comes with a program called apparmour. Perhaps fc4 has something similar.

noexec will not help for a perl script I guess
and even for executables in fact, it just slows down script kiddies.

Code:

$cp /bin/ls ~

$chmod -x ls

$./ls

bash: ./ls: Permission denied

$/lib/ld-linux.so.2 ./ls

ls xxx go.sh

$

I don't want to say that its useless to do this, I just want to let people know that they are still naked.

ANd there are other place than /tmp which apache can access, but its less known

The /tmp partition is world writable by definition. Some directories in /var are also world writable. ( /var/games, /var/lock, /var/mail, and /var/spool ). I don't know what the /var/games is for, probably if you run a game server. The lock mail and spool directories have the sticky bit set, which prevents one user from deleting another users files.
I don't believe that the /var partition is used to run code, so that may be another candidate for the "noexec" option.
I'm suprised that the person who used this script didn't delete it when they were done. If it was still running, you could have used the 'ps' command and 'lsof' command to find out who had a lock on the file, and what uid the process was running as. Hopefully, it wasn't a system user like mysql. What was the user name? If it was a system user, that could tell you that someone was able to crash that service. If it was owned by root then we're talking big trouble.

Hi there,
Thanks for your advices.
That is not my server and I don't know exacly how it was configured. A fried of mine who runs this hosting service asked me to help him harden his server.
The problem is that it uses cpanel for its management.

After I searched around I found the following:

- the installation started from a FC4 "minimal installation". Then cpanel has installed everything (exim, apache, php etc). It manages everything on that system (user accounts, updates, backup etc). I don't like this automatically scripts like cpanel, webmin etc. You have no flexibility and you have to do everything from their interface. Otherwise things could get messed. I would prefer a "by hand solution" where the admin is in control. But maybe for a hosting solution this is preferable.

Anyway:
/tmp is on its own partition: /dev/sda6 on /tmp type ext3 (rw,noexec,nosuid) [/tmp]
noexec and nosuid don't help in not running a perl scripts. It is world written because it is needed by some services (apache, mysql etc) and I think it needs to remain this way. Sticky bit is set.

I've installed AIDE, rkhunter, chkrootkit, log management system etc. Apache, php, mysql etc are stable and updated (not the last version, but a version without major known bugs). I will also set a firewall not to allow outbound connections.
The problem is that there are 2-300 hundred user hosting accounts and every user is responsible for the content of its site, scripts etc. Practically everyone could copy/install anything in its /home directory.

I'll try to find who owned that Perl script. Let's suppose (and I suppose) that apache owned that script. What could I do to prevent something similar?

Thanks

@ddaas

i was also interested on how to protect the server from same thing to happen, and from what i read i would advise following:

- install app/antivirus that will monitor tmp folders for malware - It is maldet (Linux malware detect) in daemon mode, or just a bash script.
- install CXS or if not willing to spend money (i think worth the price), then use Linux malware Detect. CXF scanning files as they are uploaded via HTTP or FTP so it prevent many bad shells to be uploaded.
- try to google mod security and if you can create some rule that will prevent people from loading perl/python.. scripts into /tmp
- use good modsecurity rule set. i am using Comodo free ModSec rules and they are not bad