LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-25-2005, 09:57 PM   #1
beyonds
LQ Newbie
 
Registered: Feb 2005
Posts: 4

Rep: Reputation: 0
Looking for help to secure /tmp


I already have my /tmp partition for FC3 set to - loop,noexec,nosuid,rw.
Even with that, attackers can still run perl script in /tmp directory.

I found a lot of them running udp.pl scripts to flood other servers. How is it possible they can run these scripts on /tmp if after I have set the partition as non-executable?. Is there a way to secure /tmp so it can't run perl scripts or anything for that matter?

Hope you guys can help me on this. Thanks!

-Joe
 
Old 02-25-2005, 10:14 PM   #2
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
They're not running the script, they're running perl... just reading a file from /tmp. On another note, how are they getting access to run that on your system? It sounds like your computer is thoroughly compromised.
 
Old 02-25-2005, 10:59 PM   #3
beyonds
LQ Newbie
 
Registered: Feb 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Re: Compromised

I've already installed arno's rc.iptables. Disabled all the unneccessary services. What else is there to secure? Can someone direct me on this?
How do i disable perl to be executed from tmp or from user 'apache'? Anyone could help me on this?

Matir, any suggestions on what more i can do more to secure my FC3? Anyone out there could recommend? I'm running an apache web server hosting some heavy traffic sites. Please advice!

-Joe
 
Old 02-27-2005, 11:00 AM   #4
R4z0r
Member
 
Registered: Jan 2002
Distribution: CentOS 3.1
Posts: 119

Rep: Reputation: 15
Perl isn't being executed from /tmp it's being run from /usr/bin/perl (Or where ever it is on your system) and they are just using that file i.e. $perl /tmp/somefile.pl

The main problem is that they are able to run commands on your syste, this is what you need to address! You can try to track them down and see how they are doing it (what user is creating the /tmp files - that would be a good place to start!) then stop them.
 
Old 02-28-2005, 03:42 AM   #5
v00d00101
Member
 
Registered: Jun 2003
Location: UK
Distribution: Devuan Beowulf
Posts: 514
Blog Entries: 1

Rep: Reputation: 37
Run chkrootkit and rkhunter. Confirm you havent been rooted.

http://www.chkrootkit.org/
http://www.rootkit.nl/projects/rootkit_hunter.html

Then change all your passwords for all accounts.

Update all software packages.

Or

Reinstall and re-secure (your likely gonna have to do this whatever happens).

Like Matir said, you're likely already compromised, since they're running stuff from your box.
 
Old 02-28-2005, 09:40 AM   #6
beyonds
LQ Newbie
 
Registered: Feb 2005
Posts: 4

Original Poster
Rep: Reputation: 0
Ran all tests

Dear v00d00101,

Well, my server is quite secure as it is. The only reason how they could access the /tmp to run those scripts, is because the server is being used to host some big websites.
As you know /tmp is world-writable, and there is no way to change it to otherwise. I'm not sure how they could gain access to the /tmp directory to upload and execute files, but i'm it has something to do with the Apache Web Server. Not sure of what restrictions to set in httpd.conf to disable them accessing /tmp
I already ran al lthe tests, no trojans were detected. I'm sure the system is not compromised, its just that I need to find a way how to restrict access to /tmp or also from using the perl commands.

Regards,
J
 
Old 02-28-2005, 11:37 AM   #7
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
If someone is running commands from your system without authorization, your system IS compromised. You need to figure out if this is a user with normal access or if it is an outside entity and take appropriate action.

Note: If your system attacks other systems due to your negligence in security, you may be held liable for this. (Or so I've heard: I'm not a lawyer)
 
Old 02-28-2005, 12:11 PM   #8
beyonds
LQ Newbie
 
Registered: Feb 2005
Posts: 4

Original Poster
Rep: Reputation: 0
As I said, thetere is no compromise of the system. Those commands are run by user apache, since user 'apache' are what runs the webserver processes. Anything else you would like to know?

-J
 
Old 02-28-2005, 10:08 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If some of your hosting clients have poorly written CGI or PHP scripts, they can be easily abused to execute commands as the user the webserver is running under (usually nobody or apache). You might want to implement a policy of running nessus or nikto periodically against the system to identify any security holes introduced by webserver scripts. Also keep in mind that if someone can upload and run a cracking tool like a udp flooder, they can also uplaod and execute a local root exploit. So writing off an incident like this as being minor simply because only the apache user is involved is a serious mistake. Maybe if you descibed in detail the steps you've taken to investigate this incident, we can can stop asking about it and move onto other things.
 
Old 03-01-2005, 11:16 AM   #10
Matir
LQ Guru
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
You'll need to look through your apache logfiles to find the source of the compromise.

Look at the modification times for the files in /tmp and then look into the apache logfiles for that date and time. Find out what sites and scripts were accessed. These scripts may have security holes: a few wiki's and php bulletin boards have recently been found to have remote code execution vulns.
 
Old 06-24-2006, 03:10 PM   #11
ylikone
Member
 
Registered: Dec 2004
Location: Ontario, Canada
Distribution: ArchLinux, VectorLinux, Ubuntu, Debian, Linspire
Posts: 66

Rep: Reputation: 15
Beyonds, did you ever figure out how the attacker was getting in? I have a client that is having the same problem... udp.pl script (owned by user apache) appearing in the /tmp directory and being run.

EDIT:
I believe I found the problem... they still had a very old version of phpBB running that they didn't even remember because nobody was using it! I found it by doing a "locate viewtopic.php". Anyway, the phpBB has been removed. Hopefully that was the only doorway on their server.

Last edited by ylikone; 06-24-2006 at 06:04 PM.
 
Old 06-24-2006, 09:41 PM   #12
fedora4002
Member
 
Registered: Mar 2004
Posts: 135

Rep: Reputation: 15
Quote:
Originally Posted by ylikone
Beyonds, did you ever figure out how the attacker was getting in? I have a client that is having the same problem... udp.pl script (owned by user apache) appearing in the /tmp directory and being run.

EDIT:
I believe I found the problem... they still had a very old version of phpBB running that they didn't even remember because nobody was using it! I found it by doing a "locate viewtopic.php". Anyway, the phpBB has been removed. Hopefully that was the only doorway on their server.
Can you post a copy of upd.pl? Or send me a copy of it. I seem to have a similar problem with different name of script.
 
Old 06-24-2006, 10:33 PM   #13
ylikone
Member
 
Registered: Dec 2004
Location: Ontario, Canada
Distribution: ArchLinux, VectorLinux, Ubuntu, Debian, Linspire
Posts: 66

Rep: Reputation: 15
Quote:
Originally Posted by fedora4002
Can you post a copy of upd.pl? Or send me a copy of it. I seem to have a similar problem with different name of script.
Why would need a copy of upd.pl? Planning on DOSing someone?
 
Old 06-24-2006, 10:35 PM   #14
cereal83
Member
 
Registered: Feb 2004
Location: Canada
Distribution: Slackware
Posts: 479

Rep: Reputation: 30
Quote:
Originally Posted by ylikone
Why would need a copy of upd.pl? Planning on DOSing someone?

Maybe he wants to see what a file like that looks like. You don't always have to assume the worse in people. In college, my teacher showed me how to do a ddos attack, then he taught me how to react to a ddos attack.
 
Old 06-24-2006, 10:54 PM   #15
fedora4002
Member
 
Registered: Mar 2004
Posts: 135

Rep: Reputation: 15
Quote:
Originally Posted by ylikone
Why would need a copy of upd.pl? Planning on DOSing someone?
Just curious whether it is the same udp.pl from packetstormsecurity.org
http://packetstormsecurity.org/DoS/udp.pl

That's it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
kde, /tmp, /var/tmp and all that garba Linux - Software 4 06-17-2005 12:31 PM
Create file using 'touch ./tmp.$$', file tmp.3941 is created, why? huangyanfeng Linux - General 1 04-13-2004 03:36 AM
"/tmp/sv001.tmp/setup.bin" error while installing OO1.1.0 Choey Linux - Software 0 09-16-2003 04:52 PM
Numerous scb_*.tmp files in /tmp dburk Programming 3 08-18-2003 04:28 PM
Newbie question - /tmp /var/tmp Mr happy Linux - Security 3 01-27-2003 01:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration