I use to have a line of code in /etc/init.d/syslog (I think this was the file) to delete the contents of my /tmp directory on shutdown. It originally came from fedora. I have searched for it but can't find it again.
Anyone happen to have it?
TIA
On Sat, Dec 12, 2009 at 02:33:33PM -0500, Thomas Dukes wrote:
I use to have a line of code in /etc/init.d/syslog (I think this was the file) to delete the contents of my /tmp directory on shutdown.
In /etc/init.d/syslog? That seems like a bad place to put it, even if it does check (as I assume it must have) the current runlevel, and only deletes in runlevels [016] or [06]; if it gets killed too early, you could delete a file from /tmp that is needed to cleanly kill off a subsequent process.
/etc/init.d/halt calls /sbin/halt.local, which might be a good place, except that it's already umounted nonessential filesystems by then, so if you have /tmp on a different fs putting it there won't work. (You could mount it from halt.local, clean it, then umount it, but that seems extremely kludgy.) You could write your own simple script and link it in /etc/rc[06].d/ to run after S00killall but before S01halt or S01reboot. (It is not clear to me whether enough processes are killed off that cleaning /tmp is safe here; might be worth testing in a noncritical environment first.)
--keith
On Sat, Dec 12, 2009 at 10:05 PM, Thomas Dukes tdukes@sc.rr.com wrote:
I have the /tmp in memory, which effectively deletes everything on reboot. Maybe another solution?
Cheers Didi
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Thomas Dukes wrote: <snip>
+1 for tmpfs :)
Heres an example:
http://www.howtoforge.com/storing-files-directories-in-memory-with-tmpfs
Thanks for the link. It's a little over my head though. I run a simple system that requires very little involvement on my part.
Today, I found upd.pl in my tmp directory. The date was oct 09. I also found my /etc/passwd and /etc/shadow had been changed with a user of 0Profile added. I deleted the old files and restored those from backup. I ran my chkrootkit and installed mod_security. SSH is not running so I don't know how this happened.
I'm running CentOS 5.4 and everyone should check their system!!
On Sat, Dec 12, 2009 at 07:35:51PM -0500, Thomas Dukes wrote:
Thanks for the link. It's a little over my head though.
No it isn't. The main thing you need is
mount -t tmpfs -o size=100M,mode=0755 tmpfs /var/www/www.example.com/cache
You would adjust size to be the size of the vmdisk you want, and adjust /var/www... to be /tmp. If you want this on boot, put the appropriate entry into /etc/fstab:
tmpfs /var/www/www.example.com/cache tmpfs size=100M,mode=0755 0 0
(same adjustments here)
Perhaps your system is not as simple as you think it is. ;-/
--keith
On Sun, Dec 13, 2009 at 3:10 AM, Thomas Dukes tdukes@sc.rr.com wrote:
All you need is [Esc]q! :)
I would make it a little bigger as 100M depending on how much memory you have. And the mode should be the same as /tmp would normally be => mode=777 :)
If you have been hacked, like it seams you have, you should first find out how the guy got in. Do you have a webserver running? Firewall enabled? Then just to be safe I would always reinstall as you never know what he might have done.
Then you can modify the tmp in fstab
Cheers Didi
On Sun, Dec 13, 2009 at 03:17:37AM +0000, Geerd-Dietger Hoffmann wrote:
/tmp is 1777 by default.
John
I have 1GB of RAM. What would be a good size?
The udp.pl file was owned by apache. Not sure that would matter. I have no cluse as to how it got there. The date on the file was oct 09 and those logs have already been rotated out.
Then you can modify the tmp in fstab
Cheers Didi
Running a full backup now. When complete, I will make the changes to fstab.
Thanks!!
Owned by apache in tmp?
Sounds like an insecure web app or injection attack.
2009/12/13 Thomas Dukes tdukes@sc.rr.com
2009/12/13 Thomas Dukes tdukes@sc.rr.com:
I'd recommend reinstalling from scratch, just to be safe. Admittedly, I am incredibly paranoid...
Ben
-
Benjamin Donnachie -
Geerd-Dietger Hoffmann -
James Hogarth -
John R. Dennison -
Keith Keller -
Larry Brower -
Sorin Srbu -
Thomas Dukes