customer abuse php

[sansobar]

hello,

one of my customer is abusing my php.. then upload and install cracks program in the server /tmp directory. the ownership is apache.apache. i am really unable to trace out the culprit.. could anyone kindly advise me how I can find out?

Thank you.

 

[nobaloney]

It might not be a customer; it could be anyone using a php-based program with a security hole.

If you have a separate /tmp partition you can change the fstab file to mount it without execute capability.

If you don't, you can try to use the HowTo here to create a /tmp file you can use (mounting it using the loop device) as a noexec mounted /tmp partition.

To attempt to determine which user is causing the problem you'd have to compare timestamps in your httpd log files with the creation timestamps in the /tmp directory.

Jeff

 

[hostpc.com]

I'd also look for older versions oh phpBB and awstats that are commonly used for this.

might want to start by looking at heavily trafficed sites, those with phpBB older than 2.0.12, etc

 

[CrazyLane]

Even though I had /tmp as noexec, I would still find exploits in the /tmp, installed mod_security and the /tmp directories been clean ever since.

 

[sansobar]

Even though I had /tmp as noexec, I would still find exploits in the /tmp, installed mod_security and the /tmp directories been clean ever since.

care to share how u install it?

 

[CrazyLane]

For an excellent how to visit John at eth0.us here:

http://eth0.us/?q=node/17

Change the version from 1.8.6 to 1.8.7, 1.8.7 is the latest version.

Take a look modsecurity.org for more info.

 

[nobaloney]

Mounting /tmp noexec won't stop anything from being put into /tmp, but it will keep executables from running.

Jeff