Re: [users@httpd] Machine compromised via apache 2.0.54... I think.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday 27 September 2005 16:46, System Administrator wrote:

> I'm no expert on security, but it seems odd to me that a remote user
> could use apache to write to my /tmp directory and then execute the
> script.  Any idea how this happened?

Almost certainly through some server extension, such as a CGI or PHP script.

There are two parts: one is writing to /tmp, the other is executing it.
To prevent writing to /tmp may be feasible, but is likely to cripple other
applications.  Running in a chroot jail might just work.  You can and should
prevent apache writing anywhere else in your filesystem using standard
file protections.  Some legitimate applications may require write access,
for which see below.

To prevent execution, you should mount /tmp, and any other directories
with write access for Apache, as noexec.  This again is a filesystem property.

Now go and read Lincoln Stein's WWW security FAQ, followed by Ivan Ristic's
book if the FAQ doesn't satisfy you, or if your situation is complex (e.g. if
you allow third-party CGI or PHP scripts, or *any* PHP not in "safe mode").

-- 
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux