I have found that someone is able to somehow use apache to upload perl scripts into the tmp directory and execute them. What they are running is some packet flood programs against other computers.

The files udp.pl srape.pl are owned by apache, the process is owned by apache, and the files are executable.

Obviously - I'm concerned and want to stop this. Anyone know what the vulnerability is and what I need to do to stop it?

Secure you /tmp partition so that you are not able to execute files from it. If you check in my sig there is a guide to securing cPanel, you can do the securing /tmp section for any redhat distro. While you are at it you should secure your /dev/shm temp partition.

It is not really a vulnerability, just about any default server will allow for these types of attacks. You should look in your access logs to see if they were put there on purpose or if they were uploaded via some exploited script (more likely).

Mod_security is a good way to stop these types of requests.

A firewall that restricts outgoing and incoming transfers would stop this (apf has these features).

You may also want to secure some of your system binaries. Wget, links, lynx, rcp, and a few others are all possible methods of downloading files on your system to be exploited.

I looked at mod_security and it appears to not be compatible with apache 2. What I'm looking for is an apache command that prohibits apache from executing anything in the /tmp directory. Or some other kool trick.

Is there a way to prohibit any files in the /tmp directory to being set to executable?

Originally posted by mperkel
I looked at mod_security and it appears to not be compatible with apache 2. What I'm looking for is an apache command that prohibits apache from executing anything in the /tmp directory. Or some other kool trick.

Is there a way to prohibit any files in the /tmp directory to being set to executable?


No there is no simple cut and dry way to do this. Mod_security is indeed compatable with apache 2 :)

I must say, I love eth00's tutorials. They're awsome.

Except you can't stop someone executing from the /tmp - even if you mount it with the noexec option, there're easy ways around it..

OK eth00 - I installed mod security and added your scripts. We'll see if I catch anyone. And - hopefullt it won't break anything.

eth00

I am interested in your idea about mounting /tmp as a separate volume and was thinking about how to do that. The first thought was to shrink a partition creating some space to make a /tmp partition to mount. I just checked and I'm only have 2 megs of data in /tmp but I'm wondering how big a /tmp partition needs to be? And - thinking out loud - I have 4 gigs of ram - could I gete away with a ram disk for /tmp of say 100 megs? That way every time I reboot the /tmp gets cleaned.

Anyone have any thoughts on this?

Also - besides mounting a partition with noexec - I wonder if there is any other way to prevent files in /tmp from becoming executable?

Originally posted by mperkel
eth00

I am interested in your idea about mounting /tmp as a separate volume and was thinking about how to do that. The first thought was to shrink a partition creating some space to make a /tmp partition to mount. I just checked and I'm only have 2 megs of data in /tmp but I'm wondering how big a /tmp partition needs to be? And - thinking out loud - I have 4 gigs of ram - could I gete away with a ram disk for /tmp of say 100 megs? That way every time I reboot the /tmp gets cleaned.

Anyone have any thoughts on this?

Also - besides mounting a partition with noexec - I wonder if there is any other way to prevent files in /tmp from becoming executable?

Very bad idea to clean /tmp on clean. If the server was to get compromised with /tmp... how are you going to know what was there if the box gets rebooted? Its very very very bad practice. Not to mention the mysql symlink there.

Making tmp noexec stops all the files from being DIRECTLY run but it does not stop them from being used like a configuration file and called from say perl. The only way to really restrict that is to restrict from perl being called in the first place.