/tmp Problem - Newbie question

G

gaare

New member
Joined
Aug 22, 2008
Messages
2
Greetings,

I am a novice and so my question may not sound..

I have found some scripts and unneccesary files in /tmp which is designed for temp files for apache. I searched the forum and loaded noexec, changed safe_mode and disabled some functions.

There were files like dumber.sh, etc. I deleted them without a second thought, but .. well.. there is a directory "/.shell" .. should it be there? :)

Thanks a lot.
 
No maybe one of your users has a program that is exploitable. You should hire a security expert to look over your server if you are incapable of doing so yourself. Also change to suphp then php scripts are run as the user and not as higher level users.
 
Also be sure to have the tmp line in fstab with nodev, nosuid, noexec like :
/dev/da0s1e /tmp ufs rw,nodev,nosuid,noexec 2 2

to help a bit... (if you dont have a seperate prtition for tmp you should..)
 
But doing that to /tmp will not prevent someone from running
Code: 
/usr/bin/perl /tmp/script.pl
/usr/bin/php /tmp/script.php
 
I just hate to see someone have a false sense of security. I perosnally do not see very many cases where having /tmp on a separate noexec partition helps. I see far more perl/php scripts running in /tmp.

My suggestion is by no means a perfect one is run a scanner to look for scripts running as user apache and kill the process.

Code: 
#!/usr/bin/perl

@grep = `ps aux | grep ^apache | grep -v /usr/sbin/httpd | grep -v defunct | grep -v /usr/bin/sendmail`;
chomp(@grep);

foreach $grep(@grep){

        print "$grep\n";

        ($user,$pid) = split(/\s+/, $grep);

if ($grep ne ""){

        @ls = `ls -l /proc/$pid`;

        # $ip = ip of the machine so you know which one has the problem
        `echo "$ip\n\n$grep\n\n@ls" | mail -s "script running" your\@email.com`;

}

        `kill -9 $pid`;

}

The other thing to do is scan your users files looking for known expressions.

Code: 
nice -n 19 grep -r -i PHPSHELL /home/*/domains/*/public_html | mail -s phpshell [email protected]

There are legitimate uses for phpshell but most are used by hackers and spammers.
 
Last edited:
Thanks for the extended explanation, which will help a lot of admins. But it's not necessarily a false sense of security; most all of the /tmp exploits we find do use executables. It blocks a lot.

Again, thanks!

Jeff
 
And I am not saying that you should not protect /tmp but you know how some people will lock all the doors and forget about the windows. Locking the door is just one step in an overall security program.
 
I lock the doors whenever I go out, and I gave up on Windows entirely a long time ago; it's a major step in my security program.

;)

Jeff
 
floyd said:
I just hate to see someone have a false sense of security. I perosnally do not see very many cases where having /tmp on a separate noexec partition helps. I see far more perl/php scripts running in /tmp.
Click to expand...

By saying in my post "to help a bit" you can see that it isn't a solution that covers 100% of this problem. My opinion though is that helps.
I made a post. You did too. Others may too. At the end a combination of those would help, not only gaare but all of us.
 
You must log in or register to reply here.
Back
Top