Re: deleted perl hacks in /tmp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Apr 16, 2010 at 02:28:09AM -0700, terry white wrote:
> ... ciao:
> 
> : on "4-15-2010" "Chris" writ:
> : web servers which occasionally have hacks that are uploaded 
> : know more about them to actually prevent them from happening.
> : Any thoughts would be appreciated!
>  
>     from my reading, this is a security nightmare.  and , i , am hard 
> pressed to find a time when "what's" been uploaded, more important than 
> the fact, "that is was".
>  
>     without a meaningful translation of "web server hacks" is a real 
> limiting factory in problem resolution.  however, your logs are your 
> friend; access, error, and referrer.
>  
>     securityfocus recently disclosed a problem with apache and wordpress.
>  
>     a specific description of the environment would be a big help ...

These are large shared servers serving a lot of stuff.  I could only wish that
I had control over how up to date all the web apps were!

Anyway, in this case, finding what is being uploaded is fairly important since
I don't have the luxery of having control over everything.  I don't have a
problem with nuking the processes once started, but I would really like to
prevent them from ever making it do disk and run to begin with.  In order to do
that, I need a pretty good idea of what the hack looks like.  Not only that,
pure curiousity plays a large role too.

My question was not so much about web security (I would pick a different
mailing list for that), as much as it was about whether anyone had experience
or trickery to recover/trap file contents that someone is working really hard
to hide.  Perl obviously read the file to run the sript (anyone can run perl,
so any flags on the /tmp mount are pointless in this case, as perl can read
/tmp all it wants).  Like I said before, reading the open file from proc yields
nothing.  

I guess I might have to bite the bullet and set up a huge space to log a
gazzillion POSTs until I can find what is.
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Newbie]     [Audio]     [Hams]     [Kernel Newbies]     [Util Linux NG]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Device Drivers]     [Samba]     [Video 4 Linux]     [Git]     [Fedora Users]

  Powered by Linux