Re: Deleting contents of /tmp on shutdown

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Owned by apache in tmp?

Sounds like an insecure web app or injection attack.

2009/12/13 Thomas Dukes <tdukes@xxxxxxxxx>


> -----Original Message-----
> From: centos-bounces@xxxxxxxxxx
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of Geerd-Dietger Hoffmann
> Sent: Saturday, December 12, 2009 10:18 PM
> To: CentOS mailing list
> Subject: Re: Deleting contents of /tmp on shutdown
>
> On Sun, Dec 13, 2009 at 3:10 AM, Thomas Dukes
> <tdukes@xxxxxxxxx> wrote:
> >> > Today, I found upd.pl in my tmp directory.  The date was
> oct 09.  I
> >> > also found my /etc/passwd and /etc/shadow had been changed
> >> with a user
> >> > of 0Profile added.  I deleted the old files and restored
> those from
> >> > backup.  I ran my chkrootkit and installed mod_security.
> >> SSH is not
> >> > running so I don't know how this happened.
> >>
> >> Perhaps your system is not as simple as you think it is.  ;-/
> >>
> >> --keith
> >
> >
> > Thanks, Keith!
> >
> > Guess I'd better brush up on my vi commands in case I have to boot
> > from a rescue disk. :-)
>
> All you need is [Esc]q! :)
>
> >
> > Just guessing here, but to do this, I need to add:
> >
> > tmpfs /tmp tmpfs size=100M,mode=0755 0 0 To my /etc/fstb
> and cross my
> > fingers?
>
> I would make it a little bigger as 100M depending on how much
> memory you have. And the mode should be the same as /tmp
> would normally be =>
> mode=777 :)

I have 1GB of RAM.  What would be a good size?

>
> If you have been hacked, like it seams you have, you should
> first find out how the guy got in. Do you have a webserver
> running? Firewall enabled? Then just to be safe I would
> always reinstall as you never know what he might have done.

The udp.pl file was owned by apache.  Not sure that would matter.  I have no
cluse as to how it got there.  The date on the file was oct 09 and those
logs have already been rotated out.

>
> Then you can modify the tmp in fstab
>
> Cheers Didi

Running a full backup now.  When complete, I will make the changes to fstab.

Thanks!!

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux