On Saturday 06 November 2004 07:47, Olivier Mueller wrote:
Hello,
One of the server I'm co-administering just got attacked a few days ago. The cracker managed to start a shell on the server by using one of these php-nuke-like include holes laying in old php scripts. Until now it failed because most of these scripts were working with /tmp, and the /tmp on that server was mounted with noexec+nosuid.
But this time /dev/shm was used: is this "new" filesysteme really necessary, and what for? Would you keep it, or rather shut it down completely? At least I'd like to have it also mounted in nosuid/noexec mode... I'll check in the boot scripts how to do that, but in the mean time if you have suggestion, you're welcome :)
/dev/shm is a temporary filesystem used by the POSIX shared memory system. It's a standard feature, but the SysV IPC, which is more normal under Linux, doesn't use it. (I think - I looked into this some time ago and things might have changed since then.) You could try removing it and see what breaks. You could try mounting it noexec and see what breaks then. You could try removing (or renaming to something unusual) some of the tools the attackers use, like tar and wget in this case. Better still, you could try closing the PHP security hole being exploited! With that there, whatever else you do is like pushing water uphill.
Webserver logs when the attack occured (the aleks-exploits pages still seems to be active: you can get some interesting files from there, like exploits against linux kernel, irc bots, and other "goodies"):
There is some deeply nasty, but deeply interesting stuff there. I've never bothered to look at an exploit like that one before...