Results 1 to 10 of 10
  1. #1
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    5,073

    Even more control over /tmp and perl spammers?

    Hey hey!

    We've been suffering from a lot of kiddies, all based outta brazil, that spam the living hell outta our servers, even though we have locked down /tmp as best we can.

    They are still able to perl /tmp/.x/craphere.pl

    It's just murdering our box and we can't figure out what else we can do.

    Does anyone have any input of what we can do?

    ~Francisco
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  2. #2
    Join Date
    Jul 2003
    Location
    Texas
    Posts
    787
    as root

    touch hacker.pl
    chmod 000 hacker.pl
    chmod 700 /usr/sbin/wget

    When the file exists already and the skiddy has no clue on how to change the name of the file being uploaded he will get stuck or fed up and move on.

    Just find out the common file names and touch each one and then leave it empty and chmod 000. Cheap, dirty hack but it will work for some of the slower skiddies.

    Thanks,

    Jeremy

  3. #3
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    5,073
    hmm, is there any way to control perl access or anything like that for the user "nobody" ?
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  4. #4
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    5,073
    Heh, interesting

    nobody 34646 0.0 0.1 5716 1552 ?? I 11:56PM 0:00.67 /hsphere/shared/apache/bin/httpd -DSSL (perl)


    I use cpanel for one

    Guess it's best i go see what user has that file

    ~Francisco
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  5. #5
    Join Date
    Sep 2000
    Posts
    429
    If the file system you use has access control lists enabled (this is build into kernel 2.6, the patch for 2.4 is at http://acl.bestbits.at) you can disable user nobody from executing perl. This won't be a problem for any scripts through apache if suexec is enabled.

    For instance on ext3 if it is compiled in and the partition is mounted with acl (in /etc/fstab have defaults,acl for example) something like

    setfacl -m u:nobody:---,g:nobody:---

    will disable user nobody from accessing perl.

  6. #6
    Mount /tmp as noexec?

  7. #7
    Greetings Francisco:

    Yes, you want to kill that fake Apache process.

    Check that all your fetch like programs --- wget, fetch, curl, etc -- are set to 700.

    Secure your /tmp, /var/tmp, and (if you are Linux based) /dev/shm

    Install mod_security from modsecurity.org with a good set of rules.

    Constantly review your security each day.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  8. #8
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    5,073
    haha, hello Peter

    Thank you for all the help! I meant no offense to the hsphere team with that, just got a good laugh outta it is all

    I guess it would be best we start lookin' at modsecurity, i'd install it while on my vacation, but this 'net i was able to "aquire" isn't the most stable thing around.

    /tmp is mounted noexec and a bunch of other modes, which protects against ./kiddiescript.pl , but, a user can still do perl /tmp/.x/kiddiescript.pl

    For the time being i set perl to 700, which is a silly idea, but until i can get on some stable internet, it's the best i can do.

    ~Francisco
    BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
    - All popular VPN methods supported
    - Affordable offloaded MySQL & DDoS protection
    - 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony

  9. #9
    as mentioned before. mod_security can stop most of these attacks. just make sure to put this line in the rule set:

    SecFilter cd\x20/tmp
    SecFilter wget\x20
    SecFilter cd\x20/dev/shm
    Mher.org:: Reseller and Shared Hosting

  10. #10
    Join Date
    May 2004
    Location
    Lansing, MI, USA
    Posts
    1,548
    Originally posted by DeltaAnime
    haha, hello Peter

    Thank you for all the help! I meant no offense to the hsphere team with that, just got a good laugh outta it is all

    I guess it would be best we start lookin' at modsecurity, i'd install it while on my vacation, but this 'net i was able to "aquire" isn't the most stable thing around.

    /tmp is mounted noexec and a bunch of other modes, which protects against ./kiddiescript.pl , but, a user can still do perl /tmp/.x/kiddiescript.pl

    For the time being i set perl to 700, which is a silly idea, but until i can get on some stable internet, it's the best i can do.

    ~Francisco
    We've started to be even more annoying... as we see the junk files show up in /tmp... we do this:

    rm <file>
    touch <file>
    chmod 0000 <file>
    chattr +i <file>

    Does a good job of keeping them from coming back when the rules fail.
    Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
    Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
    Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •