Results 1 to 10 of 10
-
07-14-2005, 12:35 AM #1Poooooonnyyy :*
- Join Date
- Jan 2003
- Location
- Canada
- Posts
- 5,073
Even more control over /tmp and perl spammers?
Hey hey!
We've been suffering from a lot of kiddies, all based outta brazil, that spam the living hell outta our servers, even though we have locked down /tmp as best we can.
They are still able to perl /tmp/.x/craphere.pl
It's just murdering our box and we can't figure out what else we can do.
Does anyone have any input of what we can do?
~FranciscoBuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony
-
07-14-2005, 12:40 AM #2Web Hosting Master
- Join Date
- Jul 2003
- Location
- Texas
- Posts
- 787
as root
touch hacker.pl
chmod 000 hacker.pl
chmod 700 /usr/sbin/wget
When the file exists already and the skiddy has no clue on how to change the name of the file being uploaded he will get stuck or fed up and move on.
Just find out the common file names and touch each one and then leave it empty and chmod 000. Cheap, dirty hack but it will work for some of the slower skiddies.
Thanks,
Jeremy
-
07-14-2005, 12:53 AM #3Poooooonnyyy :*
- Join Date
- Jan 2003
- Location
- Canada
- Posts
- 5,073
hmm, is there any way to control perl access or anything like that for the user "nobody" ?
BuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony
-
07-14-2005, 01:01 AM #4Poooooonnyyy :*
- Join Date
- Jan 2003
- Location
- Canada
- Posts
- 5,073
Heh, interesting
nobody 34646 0.0 0.1 5716 1552 ?? I 11:56PM 0:00.67 /hsphere/shared/apache/bin/httpd -DSSL (perl)
I use cpanel for one
Guess it's best i go see what user has that file
~FranciscoBuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony
-
07-14-2005, 01:04 AM #5Aspiring Evangelist
- Join Date
- Sep 2000
- Posts
- 429
If the file system you use has access control lists enabled (this is build into kernel 2.6, the patch for 2.4 is at http://acl.bestbits.at) you can disable user nobody from executing perl. This won't be a problem for any scripts through apache if suexec is enabled.
For instance on ext3 if it is compiled in and the partition is mounted with acl (in /etc/fstab have defaults,acl for example) something like
setfacl -m u:nobody:---,g:nobody:---
will disable user nobody from accessing perl.
-
07-14-2005, 06:03 AM #6WHT Addict
- Join Date
- Oct 2004
- Posts
- 100
Mount /tmp as noexec?
-
07-14-2005, 06:06 AM #7Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings Francisco:
Yes, you want to kill that fake Apache process.
Check that all your fetch like programs --- wget, fetch, curl, etc -- are set to 700.
Secure your /tmp, /var/tmp, and (if you are Linux based) /dev/shm
Install mod_security from modsecurity.org with a good set of rules.
Constantly review your security each day.
Thank you.
-
07-14-2005, 10:09 AM #8Poooooonnyyy :*
- Join Date
- Jan 2003
- Location
- Canada
- Posts
- 5,073
haha, hello Peter
Thank you for all the help! I meant no offense to the hsphere team with that, just got a good laugh outta it is all
I guess it would be best we start lookin' at modsecurity, i'd install it while on my vacation, but this 'net i was able to "aquire" isn't the most stable thing around.
/tmp is mounted noexec and a bunch of other modes, which protects against ./kiddiescript.pl , but, a user can still do perl /tmp/.x/kiddiescript.pl
For the time being i set perl to 700, which is a silly idea, but until i can get on some stable internet, it's the best i can do.
~FranciscoBuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony
-
07-15-2005, 01:38 AM #9Newbie
- Join Date
- Nov 2003
- Posts
- 18
as mentioned before. mod_security can stop most of these attacks. just make sure to put this line in the rule set:
SecFilter cd\x20/tmp
SecFilter wget\x20
SecFilter cd\x20/dev/shmMher.org:: Reseller and Shared Hosting
-
07-15-2005, 02:20 AM #10PHP for breakfast
- Join Date
- May 2004
- Location
- Lansing, MI, USA
- Posts
- 1,548
Originally posted by DeltaAnime
haha, hello Peter
Thank you for all the help! I meant no offense to the hsphere team with that, just got a good laugh outta it is all
I guess it would be best we start lookin' at modsecurity, i'd install it while on my vacation, but this 'net i was able to "aquire" isn't the most stable thing around.
/tmp is mounted noexec and a bunch of other modes, which protects against ./kiddiescript.pl , but, a user can still do perl /tmp/.x/kiddiescript.pl
For the time being i set perl to 700, which is a silly idea, but until i can get on some stable internet, it's the best i can do.
~Francisco
rm <file>
touch <file>
chmod 0000 <file>
chattr +i <file>
Does a good job of keeping them from coming back when the rules fail.Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large