Owned by apache in tmp?
Sounds like an insecure web app or injection attack.
2009/12/13 Thomas Dukes tdukes@sc.rr.com
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Geerd-Dietger Hoffmann Sent: Saturday, December 12, 2009 10:18 PM To: CentOS mailing list Subject: Re: [CentOS] Deleting contents of /tmp on shutdown
On Sun, Dec 13, 2009 at 3:10 AM, Thomas Dukes tdukes@sc.rr.com wrote:
Today, I found upd.pl in my tmp directory. The date was
oct 09. I
also found my /etc/passwd and /etc/shadow had been changed
with a user
of 0Profile added. I deleted the old files and restored
those from
backup. I ran my chkrootkit and installed mod_security.
SSH is not
running so I don't know how this happened.
Perhaps your system is not as simple as you think it is. ;-/
--keith
Thanks, Keith!
Guess I'd better brush up on my vi commands in case I have to boot from a rescue disk. :-)
All you need is [Esc]q! :)
Just guessing here, but to do this, I need to add:
tmpfs /tmp tmpfs size=100M,mode=0755 0 0 To my /etc/fstb
and cross my
fingers?
I would make it a little bigger as 100M depending on how much memory you have. And the mode should be the same as /tmp would normally be => mode=777 :)
I have 1GB of RAM. What would be a good size?
If you have been hacked, like it seams you have, you should first find out how the guy got in. Do you have a webserver running? Firewall enabled? Then just to be safe I would always reinstall as you never know what he might have done.
The udp.pl file was owned by apache. Not sure that would matter. I have no cluse as to how it got there. The date on the file was oct 09 and those logs have already been rotated out.
Then you can modify the tmp in fstab
Cheers Didi
Running a full backup now. When complete, I will make the changes to fstab.
Thanks!!
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos