Anyone know how to do this? Is there a setting in PHP, Perl and SH that allows you to prevent scripts from being run from /tmp?
If /tmp is seperate filesystem...
For it to stay that way on next boot, add "noexec,nosuid,nodev" to the boot options for the /tmp mountpoint.
If /tmp is not a seperate filesystem...
You need to create a new filesystem in any available space you have and mount /tmp on there.
Both methods are supported by my script which can do the above for you automatically:
http://www.servermonkeys.com/els.php
CODE
mount -o remount,noexec,nosuid,nodev /tmp
For it to stay that way on next boot, add "noexec,nosuid,nodev" to the boot options for the /tmp mountpoint.
If /tmp is not a seperate filesystem...
You need to create a new filesystem in any available space you have and mount /tmp on there.
Both methods are supported by my script which can do the above for you automatically:
http://www.servermonkeys.com/els.php
Actually, I am using your script and although executables no longer run in /tmp, it's still possible to do:
perl /tmp/nastyscript.pl
sh /tmp/rootkit.sh
perl /tmp/nastyscript.pl
sh /tmp/rootkit.sh
Can you paste the output of mount?
Here you go:
CODE
/dev/hda7 on / type ext3 (rw,usrquota)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/dev/hdc1 on /backup type ext3 (rw)
/dev/hda1 on /boot type ext3 (rw)
/dev/hda5 on /home type ext3 (rw,usrquota)
none on /dev/shm type tmpfs (rw,noexec,nosuid,nodev)
/dev/hda6 on /tmp type ext3 (rw,noexec,nosuid,nodev)
/dev/hda2 on /usr type ext3 (rw,usrquota)
/dev/hda3 on /var type ext3 (rw,usrquota)
/tmp on /var/tmp type ext3 (rw,noexec,nosuid,nodev,bind)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/dev/hdc1 on /backup type ext3 (rw)
/dev/hda1 on /boot type ext3 (rw)
/dev/hda5 on /home type ext3 (rw,usrquota)
none on /dev/shm type tmpfs (rw,noexec,nosuid,nodev)
/dev/hda6 on /tmp type ext3 (rw,noexec,nosuid,nodev)
/dev/hda2 on /usr type ext3 (rw,usrquota)
/dev/hda3 on /var type ext3 (rw,usrquota)
/tmp on /var/tmp type ext3 (rw,noexec,nosuid,nodev,bind)
Hmm, I didn't know this in it's enitirety, but doing a little extra Googling, it seems that if you were to directly execute a file from a filesystem with the noexec flag, it will not exeute, but if you call the program with the proper interpreter, the program will execute - solving nothing. Hmm, good to know.
Yup, it's a bit of a pain.
Maketh a script to grep /tmp for the perl line (!#/usr/bin/perl or something) and move any files to a safe location and chown/chmod them to remove their permissions, then have it e-mail you so you can investigate the script and see if it's spawned any processes which need killing.
That's one way I can think of....there might be a more elegant solution, though
Maketh a script to grep /tmp for the perl line (!#/usr/bin/perl or something) and move any files to a safe location and chown/chmod them to remove their permissions, then have it e-mail you so you can investigate the script and see if it's spawned any processes which need killing.
That's one way I can think of....there might be a more elegant solution, though
I came across this today on WHT which works for perl.
http://webhostingtalk.com/showthread.php?t=528198
However this still doesn't help with malicious scripts in other folders other than /tmp but it's a start.
http://webhostingtalk.com/showthread.php?t=528198
However this still doesn't help with malicious scripts in other folders other than /tmp but it's a start.
QUOTE (ramprage)
I came across this today on WHT which works for perl.
http://webhostingtalk.com/showthread.php?t=528198
However this still doesn't help with malicious scripts in other folders other than /tmp but it's a start.
http://webhostingtalk.com/showthread.php?t=528198
However this still doesn't help with malicious scripts in other folders other than /tmp but it's a start.
Can you post the cotents of that, as it requires login.
Thanks ramprage, that little script should help.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.