httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeroen Geilman <jer...@adaptr.nl>
Subject Re: [users@httpd] ?????? ??????? ?? files in /tmp
Date Mon, 01 Aug 2011 16:45:21 GMT
On 2011-08-01 16:13, Nick Kew wrote:
> On Mon, 1 Aug 2011 12:39:44 +0100
> Tom Evans<tevans.uk@googlemail.com>  wrote:
>
>> On Mon, Aug 1, 2011 at 12:27 PM, vishesh kumar<linuxtovishesh@gmail.com>  wrote:
>>> Hi Members
>>>
>>> I am getting ?????? ??????? ????.doc and ?????? ??????? ????.xls files in
>>> /tmp parition. The owner of all these files are www . I am running apache on
>>> centos . Does it indicate any security breach ?
>>>
>>> Vishesh Kumar
> Are those questionmarks just how something gets rendered in email?
>
>> Not necessarily. Do you run any apps on the server by www, including
>> PHP? Do they write out temporary files in /tmp before serving them?
> "Not necessarily" is a long way from a clear No!  If there's an application
> that legitimately creates files in /tmp, the sysop should know about it!
>
>> I can't think what sort of security breach would be achieved by
>> placing a few www owned files in /tmp.
> A file that might hope to be executed, or fed into something?
> Uploading is likely just an early stage of a breakin.
>

It's the stage immediately preceding it, in fact.

This happens mostly with leaky PHP scripts that allow system() calls; 
I've seen some where a minimal script is uploaded and executed (as the 
apache user, obviously); this script then wgets the trojan payload and 
starts a dozen network daemons on high ports.

Yes, the sysadmin needs to know about this - and kick the offending PHP 
script out the door ASAP.


-- 
J.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message