Results 1 to 13 of 13
Thread: who is writing to /tmp?
-
11-06-2006, 04:46 PM #1Junior Guru Wannabe
- Join Date
- Jun 2005
- Posts
- 50
who is writing to /tmp?
Hello,
svereal times I noticed that /tmp is almost full. After checking I saw files like this:
The.Fast.And.The.Furious.Tokyo.Drift.2006.iTALiAN.DVDRip.XviD-DiViN3.avi
Senza.Tregua.1993-XviD-ITALiAN-AC3.DVDRiP.DeLuXe.avi
It was simple to delete only two large files, but I wanna know how they came there?
Regards,
Strahinja
-
11-06-2006, 05:20 PM #2Aspiring Evangelist
- Join Date
- Jun 2003
- Location
- Ukiah, California
- Posts
- 394
They are likely being put their by a php or cgi script on your server. You can grep your apache logs for the filenames in an effort to find the guilty script
Jacob Turner -- Ringnebula Systems
Managed IT solutions for small business
-
11-06-2006, 07:11 PM #3Junior Guru Wannabe
- Join Date
- Jun 2005
- Posts
- 50
thank you ringnebula for point me on right direction, I found some examples on the web, and I`ll do my best in effort to find the bad boy
Regards,
S.
-
11-06-2006, 07:14 PM #4Aspiring Evangelist
- Join Date
- Jun 2003
- Location
- Ukiah, California
- Posts
- 394
Not a problem at all
Jacob Turner -- Ringnebula Systems
Managed IT solutions for small business
-
11-07-2006, 06:31 PM #5Junior Guru Wannabe
- Join Date
- Jun 2005
- Posts
- 50
well, I`m trying... some furhter assistance would be premium..
since I have freebsd box, I presume something like this would be suitable
grep '*.avi' httpd-access.log
if I can use wildcard, I have not error output using command above, actually I have not any output.
-
11-07-2006, 06:53 PM #6Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
Without phpsuexec it will be very difficult to find out since no user is associated with the file upload. POST requests are not logged in Apache so you won't be able to find that file in the logs.
The only way you might be able to track it is by comparing log times with the file time stamp to try to determine the script called to upload the file close to the same time.
-
11-07-2006, 07:02 PM #7Junior Guru Wannabe
- Join Date
- Jun 2005
- Posts
- 50
Is there any chance to prevent users to write in /tmp folder? This looks like security issue.
if this can help, movies are always in the same place
/tmp/.home/.libLast edited by strahinjas; 11-07-2006 at 07:07 PM.
-
11-07-2006, 07:06 PM #8Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
Well you can limit the amount they can upload with php.ini. Taking away the ability to upload doesn't really fix much except break normal PHP functionality.
upload_max_filesize
-
11-07-2006, 08:09 PM #9Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 44
This isn't complete solution, more of a kludge to slow the hackers down, but if the files are always going into a subdirectory of /tmp, you could change that directory's ownership and permissions. Something like
chown root:root /tmp/.home
chmod 0 /tmp/.home
should prevent anyone from writing to the /tmp/.home directory. Assuming of course that you're running apache as someone other other than root.Andrew
Spry VPS Hosting cPanel VPS, Plesk VPS, Webmin VPS, Shared, Domain Registration, Dedicated and Colo
VPSLink Cheap VPS accounts CentOS, Fedora 4/5/6, RHEL, Gentoo, Debian, Ubuntu -- Dapper/Edgy, Slackware, OpenSUSE, LAMP + Ruby pre-installed available
-
11-07-2006, 09:03 PM #10Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
That will work temporarily and is also not a complete solution since they can just make a different folder andrew
This may possibly be a IRC server storing files on your box in /tmp or someone is using an existing PHP upload script.
Have you tried checking for odd looking nobody processes?
ps aux |grep nobody
-
11-07-2006, 09:08 PM #11Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 44
Originally Posted by Ramprage
Would grep nobody work if the server is using suexec?Andrew
Spry VPS Hosting cPanel VPS, Plesk VPS, Webmin VPS, Shared, Domain Registration, Dedicated and Colo
VPSLink Cheap VPS accounts CentOS, Fedora 4/5/6, RHEL, Gentoo, Debian, Ubuntu -- Dapper/Edgy, Slackware, OpenSUSE, LAMP + Ruby pre-installed available
-
11-07-2006, 09:23 PM #12Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
Not really if they're using phpsuexec, or, well it won't help much. But since the file is owned as nobody I doubt they're using phpsuexec to begin with.
-
11-08-2006, 01:17 AM #13Web Hosting Master
- Join Date
- May 2001
- Location
- HK
- Posts
- 3,082
Yes that's the advantage I like running php as CGI.
Is a trade-off, if you want better performance, go with mod_php, if you want better security such as limiting php can only be run inside the virtualhost docroot, checking uid match, etc etc, go with suexec.