On 16 April 2010 17:45, Chris <chris@xxxxxxxxxx> wrote: > On Fri, Apr 16, 2010 at 02:28:09AM -0700, terry white wrote: >> ... ciao: >> >> : on "4-15-2010" "Chris" writ: >> : web servers which occasionally have hacks that are uploaded >> : know more about them to actually prevent them from happening. >> : Any thoughts would be appreciated! >> >> from my reading, this is a security nightmare. and , i , am hard >> pressed to find a time when "what's" been uploaded, more important than >> the fact, "that is was". >> >> without a meaningful translation of "web server hacks" is a real >> limiting factory in problem resolution. however, your logs are your >> friend; access, error, and referrer. >> >> securityfocus recently disclosed a problem with apache and wordpress. >> >> a specific description of the environment would be a big help ... > > These are large shared servers serving a lot of stuff. I could only wish that > I had control over how up to date all the web apps were! > > Anyway, in this case, finding what is being uploaded is fairly important since > I don't have the luxery of having control over everything. I don't have a > problem with nuking the processes once started, but I would really like to > prevent them from ever making it do disk and run to begin with. In order to do > that, I need a pretty good idea of what the hack looks like. Not only that, > pure curiousity plays a large role too. > > My question was not so much about web security (I would pick a different > mailing list for that), as much as it was about whether anyone had experience > or trickery to recover/trap file contents that someone is working really hard > to hide. Perl obviously read the file to run the sript (anyone can run perl, > so any flags on the /tmp mount are pointless in this case, as perl can read > /tmp all it wants). Like I said before, reading the open file from proc yields > nothing. > > I guess I might have to bite the bullet and set up a huge space to log a > gazzillion POSTs until I can find what is. > -- > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > Is changing the filesystem type an option? You could temporarily create a new non-extn filesystem on a free partition and mount it on /tmp. In that case, you could set the undeletable attribute on /tmp ("chattr +U /tmp"). It will be inherited by any file created there. Problem is that extn doesn't honour the attribute, though you could patch it if you prefer (cf. http://lwn.net/Articles/211193/). Kind regards, Herta -- "Life on Earth may be expensive, but it comes with a free ride around the Sun." -- To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
