On 2011-08-01 16:13, Nick Kew wrote:
On Mon, 1 Aug 2011 12:39:44 +0100 Tom Evans<tevans.uk@xxxxxxxxxxxxxx> wrote:On Mon, Aug 1, 2011 at 12:27 PM, vishesh kumar<linuxtovishesh@xxxxxxxxx> wrote:Hi Members I am getting ?????? ??????? ????.doc and ?????? ??????? ????.xls files in /tmp parition. The owner of all these files are www . I am running apache on centos . Does it indicate any security breach ? Vishesh KumarAre those questionmarks just how something gets rendered in email?Not necessarily. Do you run any apps on the server by www, including PHP? Do they write out temporary files in /tmp before serving them?"Not necessarily" is a long way from a clear No! If there's an application that legitimately creates files in /tmp, the sysop should know about it!I can't think what sort of security breach would be achieved by placing a few www owned files in /tmp.A file that might hope to be executed, or fed into something? Uploading is likely just an early stage of a breakin.
It's the stage immediately preceding it, in fact.This happens mostly with leaky PHP scripts that allow system() calls; I've seen some where a minimal script is uploaded and executed (as the apache user, obviously); this script then wgets the trojan payload and starts a dozen network daemons on high ports.
Yes, the sysadmin needs to know about this - and kick the offending PHP script out the door ASAP.
-- J. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx