Results 1 to 13 of 13
  1. #1

    who is writing to /tmp?

    Hello,

    svereal times I noticed that /tmp is almost full. After checking I saw files like this:

    The.Fast.And.The.Furious.Tokyo.Drift.2006.iTALiAN.DVDRip.XviD-DiViN3.avi
    Senza.Tregua.1993-XviD-ITALiAN-AC3.DVDRiP.DeLuXe.avi

    It was simple to delete only two large files, but I wanna know how they came there?

    Regards,

    Strahinja

  2. #2
    Join Date
    Jun 2003
    Location
    Ukiah, California
    Posts
    394
    They are likely being put their by a php or cgi script on your server. You can grep your apache logs for the filenames in an effort to find the guilty script
    Jacob Turner -- Ringnebula Systems
    Managed IT solutions for small business

  3. #3
    thank you ringnebula for point me on right direction, I found some examples on the web, and I`ll do my best in effort to find the bad boy

    Regards,
    S.

  4. #4
    Join Date
    Jun 2003
    Location
    Ukiah, California
    Posts
    394
    Not a problem at all
    Jacob Turner -- Ringnebula Systems
    Managed IT solutions for small business

  5. #5
    well, I`m trying... some furhter assistance would be premium..
    since I have freebsd box, I presume something like this would be suitable

    grep '*.avi' httpd-access.log

    if I can use wildcard, I have not error output using command above, actually I have not any output.

  6. #6
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    Without phpsuexec it will be very difficult to find out since no user is associated with the file upload. POST requests are not logged in Apache so you won't be able to find that file in the logs.

    The only way you might be able to track it is by comparing log times with the file time stamp to try to determine the script called to upload the file close to the same time.

  7. #7
    Is there any chance to prevent users to write in /tmp folder? This looks like security issue.

    if this can help, movies are always in the same place

    /tmp/.home/.lib
    Last edited by strahinjas; 11-07-2006 at 07:07 PM.

  8. #8
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    Well you can limit the amount they can upload with php.ini. Taking away the ability to upload doesn't really fix much except break normal PHP functionality.

    upload_max_filesize

  9. #9
    Join Date
    Oct 2006
    Posts
    44
    This isn't complete solution, more of a kludge to slow the hackers down, but if the files are always going into a subdirectory of /tmp, you could change that directory's ownership and permissions. Something like
    chown root:root /tmp/.home
    chmod 0 /tmp/.home

    should prevent anyone from writing to the /tmp/.home directory. Assuming of course that you're running apache as someone other other than root.
    Andrew
    Spry VPS Hosting cPanel VPS, Plesk VPS, Webmin VPS, Shared, Domain Registration, Dedicated and Colo
    VPSLink Cheap VPS accounts CentOS, Fedora 4/5/6, RHEL, Gentoo, Debian, Ubuntu -- Dapper/Edgy, Slackware, OpenSUSE, LAMP + Ruby pre-installed available

  10. #10
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    That will work temporarily and is also not a complete solution since they can just make a different folder andrew

    This may possibly be a IRC server storing files on your box in /tmp or someone is using an existing PHP upload script.

    Have you tried checking for odd looking nobody processes?

    ps aux |grep nobody

  11. #11
    Join Date
    Oct 2006
    Posts
    44
    Quote Originally Posted by Ramprage
    That will work temporarily and is also not a complete solution since they can just make a different folder andrew

    This may possibly be a IRC server storing files on your box in /tmp or someone is using an existing PHP upload script.

    Have you tried checking for odd looking nobody processes?

    ps aux |grep nobody
    Like I said, it's only a stopgap to slow them down, not a real solution . Buy time while figuring out how to close the hole.

    Would grep nobody work if the server is using suexec?
    Andrew
    Spry VPS Hosting cPanel VPS, Plesk VPS, Webmin VPS, Shared, Domain Registration, Dedicated and Colo
    VPSLink Cheap VPS accounts CentOS, Fedora 4/5/6, RHEL, Gentoo, Debian, Ubuntu -- Dapper/Edgy, Slackware, OpenSUSE, LAMP + Ruby pre-installed available

  12. #12
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    Not really if they're using phpsuexec, or, well it won't help much. But since the file is owned as nobody I doubt they're using phpsuexec to begin with.

  13. #13
    Join Date
    May 2001
    Location
    HK
    Posts
    3,082

    Smile

    Yes that's the advantage I like running php as CGI.

    Is a trade-off, if you want better performance, go with mod_php, if you want better security such as limiting php can only be run inside the virtualhost docroot, checking uid match, etc etc, go with suexec.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •