Re: ?????? ??????? ?? files in /tmp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2011-08-01 16:13, Nick Kew wrote:
On Mon, 1 Aug 2011 12:39:44 +0100
Tom Evans<tevans.uk@xxxxxxxxxxxxxx>  wrote:

On Mon, Aug 1, 2011 at 12:27 PM, vishesh kumar<linuxtovishesh@xxxxxxxxx>  wrote:
Hi Members

I am getting ?????? ??????? ????.doc and ?????? ??????? ????.xls files in
/tmp parition. The owner of all these files are www . I am running apache on
centos . Does it indicate any security breach ?

Vishesh Kumar
Are those questionmarks just how something gets rendered in email?

Not necessarily. Do you run any apps on the server by www, including
PHP? Do they write out temporary files in /tmp before serving them?
"Not necessarily" is a long way from a clear No!  If there's an application
that legitimately creates files in /tmp, the sysop should know about it!

I can't think what sort of security breach would be achieved by
placing a few www owned files in /tmp.
A file that might hope to be executed, or fed into something?
Uploading is likely just an early stage of a breakin.


It's the stage immediately preceding it, in fact.

This happens mostly with leaky PHP scripts that allow system() calls; I've seen some where a minimal script is uploaded and executed (as the apache user, obviously); this script then wgets the trojan payload and starts a dozen network daemons on high ports.

Yes, the sysadmin needs to know about this - and kick the offending PHP script out the door ASAP.


--
J.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux