Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
Re: [suse-security] /dev/shm (in)security / php-based attack
  • From: Derek Fountain <dflists@xxxxxxxxxxxx>
  • Date: Sat, 6 Nov 2004 09:27:11 +0800
  • Message-id: <200411060927.11180.dflists@xxxxxxxxxxxx>
On Saturday 06 November 2004 07:47, Olivier Mueller wrote:
> Hello,
> One of the server I'm co-administering just got attacked
> a few days ago. The cracker managed to start a shell on
> the server by using one of these php-nuke-like include
> holes laying in old php scripts. Until now it failed
> because most of these scripts were working with /tmp,
> and the /tmp on that server was mounted with noexec+nosuid.
> But this time /dev/shm was used: is this "new" filesysteme
> really necessary, and what for? Would you keep it, or
> rather shut it down completely? At least I'd like to
> have it also mounted in nosuid/noexec mode... I'll check
> in the boot scripts how to do that, but in the mean time
> if you have suggestion, you're welcome :)

/dev/shm is a temporary filesystem used by the POSIX shared memory system.
It's a standard feature, but the SysV IPC, which is more normal under Linux,
doesn't use it. (I think - I looked into this some time ago and things might
have changed since then.) You could try removing it and see what breaks. You
could try mounting it noexec and see what breaks then. You could try removing
(or renaming to something unusual) some of the tools the attackers use, like
tar and wget in this case. Better still, you could try closing the PHP
security hole being exploited! With that there, whatever else you do is like
pushing water uphill.

> Webserver logs when the attack occured (the aleks-exploits
> pages still seems to be active: you can get some interesting
> files from there, like exploits against linux kernel,
> irc bots, and other "goodies"):

There is some deeply nasty, but deeply interesting stuff there. I've never
bothered to look at an exploit like that one before...

< Previous Next >