Re: ?????? ??????? ?? files in /tmp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Aug 1, 2011 at 3:13 PM, Nick Kew <nick@xxxxxxxxxxxx> wrote:
> On Mon, 1 Aug 2011 12:39:44 +0100
> Tom Evans <tevans.uk@xxxxxxxxxxxxxx> wrote:
>
>> On Mon, Aug 1, 2011 at 12:27 PM, vishesh kumar <linuxtovishesh@xxxxxxxxx> wrote:
>> > Hi Members
>> >
>> > I am getting ?????? ??????? ????.doc and ?????? ??????? ????.xls files in
>> > /tmp parition. The owner of all these files are www . I am running apache on
>> > centos . Does it indicate any security breach ?
>> >
>> > Vishesh Kumar
>
> Are those questionmarks just how something gets rendered in email?
>
>> Not necessarily. Do you run any apps on the server by www, including
>> PHP? Do they write out temporary files in /tmp before serving them?
>
> "Not necessarily" is a long way from a clear No!  If there's an application
> that legitimately creates files in /tmp, the sysop should know about it!

Which is why I didn't say "No!". All those files mean is that some www
process wrote them there - they don't fluff into existence. Whether
that is a problem or whether it is expected behaviour for that
particular server is only something the people running the application
can determine.

Hence 'Not necessarily'. It was an invitation for the OP to do some
investigation himself. It could be a hack attempt, it could even be
the first precursors of the 4th coming of Satan, but neither you nor I
can determine any of that.

I also don't know any attacks that start by uploading Excel files to a
*nix server. Hardly likely to sprout into a 'trojan payload' or start
some network daemons, unless ld has started being extremely clever.

It is far more likely that this application produces reports in both
Excel and Word formats. Creating BIFF files like Excel often requires
a file interface to write into, so I could easily see a PHP app
misbehaving and leaving temporary files in /tmp. It still requires the
OP to work out what his server should be doing, and whether this is
within the remit of it.

Cheers

Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux