Mandatory build clean

[BigWil]

Ok. Well this is twice that this happened. It seems the script kiddies got ahold of the modperl directory again. I still fear that there is some sort of exploit in modperl but haven't the time to figure that one out.

Problem: When installing customapache if one forgets to run the ./build clean it leaves some vulnerability open. Attackers are able to upload their perl scripts to the /tmp and /var/tmp directories and execute a command line to run them.

Here are the processes:
apache 66453 0.1 2.9 76260 59652 ?? S 6:23PM 0:00.02 /usr/sbin/httpd -DHAVE_VHOST_ALIAS -DHAVE_ENV -DHAVE_LOG_CONFIG -DHAVE_MIME
apache 66400 98.6 0.1 2920 2212 ?? R 6:22PM 1:55.82 perl udp.txt 200.189.184.11 7171 200 (perl5.8.8)
apache 66399 0.0 0.1 1632 1072 ?? I 6:22PM 0:00.00 sh -c cd /tmp;perl udp.txt 200.189.184.11 7171 200 2>&1
apache 66402 0.0 0.1 1632 1064 ?? I 6:22PM 0:00.00 sh -c (sleep 200;killall -9 udp) &
apache 66403 0.0 0.1 1632 1064 ?? I 6:22PM 0:00.00 sh -c (sleep 200;killall -9 udp) &
apache 66404 0.0 0.0 1172 420 ?? I 6:22PM 0:00.00 sleep 200

SOLUTION: Either make the ./build clean an automatic part of the build script, have the script prompt to clean, or at least put up a notice so guys like me that are building 3 machines simultaneously have less of a chance at forgetting to remove that modperl directory.

Thanks,

Big Wil

 

[nobaloney]

BigWil,

Many of us are making our /tmp directory non-executable and doing symbolic links from all other tmp directories to /tmp.

Jeff

 

[DamnSkippy]

Should be a normal setup process really as far as securing /tmp stuff. Unless you have some app that needs that ability. Temp space will be one of the first things attacked.

 

[nobaloney]

Normal practice for a server-centric OS, perhaps. DirectAdmin is known to leave administrator work to server administrators. In that regard perhaps it's not for the totally uninitiated.

Should I write DirectAdmin for Dummies?

On a related note, when we build servers we use a checklist similar to that an airline pilot takes before he goes airborne.

It keeps us, as it does the pilot, from having as many accidents.

Jeff

 

[BigWil]

Damn guys it was just a suggestion.

Problem is, and it isn't a big one, is that my raid drives come preconfigured and sliced. The manufacturer doesn't give /tmp or /var their own partitions. I guess I will have to start remedying that.

Big Wil

 

[BigWil]

Ok. So the var/tmp and tmp folders are noexec,nosuid and lookie here. They're back and running their uploaded perl script from the /tmp directory. Even as root I can't run a perl script from the /tmp directory.

USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
apache 13043 93.9 0.1 2920 2236 ?? R 5:57PM 17:10.89 perl udp.pl 200.150.137.152 0 500 (perl5.8.8)
apache 13042 0.0 0.0 1632 1024 ?? I 5:57PM 0:00.00 sh -c cd /tmp;perl udp.pl 200.150.137.152 0 500 2>&1

Any other candidates for your DirectAdmin for Dummies book? I have ran every chkrootkit known to man and they don't have any permanent access so it seems.

Big Wil

 

[BigWil]

Ok well here is the next chapter for your DirectAdmin for Dummies book.

Don't get in a hurry building 3 machines at a time and forget to add this to your php.ini file:

disable_functions = exec,shell_exec,system,passthru,popen,proc_open

Signed,

The Dummy

 

[DamnSkippy]

We were not bashing you BigWil and unfortunately the temp precautions will not stop everything but it does help. PHP has many way for people (I use that term loosely) to cause you grief.

Jeff I was not saying it should be something that DA does nor do I think it has anything to do with DA. I was saying that it should be part of a default setup for the sysadmin. One of the things I like about DA is that it does not try to take over the system so we are dependent on DA for everything.