Re: Deleting contents of /tmp on shutdown

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, Dec 13, 2009 at 3:10 AM, Thomas Dukes <tdukes@xxxxxxxxx> wrote:
>> > Today, I found upd.pl in my tmp directory.  The date was oct 09.  I
>> > also found my /etc/passwd and /etc/shadow had been changed
>> with a user
>> > of 0Profile added.  I deleted the old files and restored those from
>> > backup.  I ran my chkrootkit and installed mod_security.
>> SSH is not
>> > running so I don't know how this happened.
>>
>> Perhaps your system is not as simple as you think it is.  ;-/
>>
>> --keith
>
>
> Thanks, Keith!
>
> Guess I'd better brush up on my vi commands in case I have to boot from a
> rescue disk. :-)

All you need is [Esc]q! :)

>
> Just guessing here, but to do this, I need to add:
>
> tmpfs /tmp tmpfs size=100M,mode=0755 0 0
> To my /etc/fstb and cross my fingers?

I would make it a little bigger as 100M depending on how much memory
you have. And the mode should be the same as /tmp would normally be =>
mode=777 :)

If you have been hacked, like it seams you have, you should first find
out how the guy got in. Do you have a webserver running? Firewall
enabled? Then just to be safe I would always reinstall as you never
know what he might have done.

Then you can modify the tmp in fstab

Cheers Didi

-- 

My www page: www.ribalba.de
Email / Jabber: ribalba@xxxxxxxxx
Skype : ribalba
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux