httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeroen Geilman <>
Subject Re: [users@httpd] ?????? ??????? ?? files in /tmp
Date Mon, 01 Aug 2011 16:45:21 GMT
On 2011-08-01 16:13, Nick Kew wrote:
> On Mon, 1 Aug 2011 12:39:44 +0100
> Tom Evans<>  wrote:
>> On Mon, Aug 1, 2011 at 12:27 PM, vishesh kumar<>  wrote:
>>> Hi Members
>>> I am getting ?????? ??????? ????.doc and ?????? ??????? ????.xls files in
>>> /tmp parition. The owner of all these files are www . I am running apache on
>>> centos . Does it indicate any security breach ?
>>> Vishesh Kumar
> Are those questionmarks just how something gets rendered in email?
>> Not necessarily. Do you run any apps on the server by www, including
>> PHP? Do they write out temporary files in /tmp before serving them?
> "Not necessarily" is a long way from a clear No!  If there's an application
> that legitimately creates files in /tmp, the sysop should know about it!
>> I can't think what sort of security breach would be achieved by
>> placing a few www owned files in /tmp.
> A file that might hope to be executed, or fed into something?
> Uploading is likely just an early stage of a breakin.

It's the stage immediately preceding it, in fact.

This happens mostly with leaky PHP scripts that allow system() calls; 
I've seen some where a minimal script is uploaded and executed (as the 
apache user, obviously); this script then wgets the trojan payload and 
starts a dozen network daemons on high ports.

Yes, the sysadmin needs to know about this - and kick the offending PHP 
script out the door ASAP.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message