[CentOS] mystery process "unit"
sbeam
sbeam at onsetcorps.net
Tue Aug 12 16:08:54 UTC 2008
On Tuesday 12 August 2008 10:16, Rainer Duffner wrote:
> Anything in /tmp ?
>
> Disable register_globals and allow_url_fopen.
> Set open_basedir for any virtual hosts to the absolute minimum.
allow_url_fopen was enabled on one of many sites. A developer put in an unsafe
php include(). This allowed the w0rm to run a remote PHP script which used
exec() to fetch and spawn the shellbot. Pretty standard. But it also did a
decent job of removing itself from the filesystem. Lucky I noticed the weird
process this morning, no harm done it seems.
I have mod_security installed now, but I tested a similar attack, and sadly,
it still succeeds as long as allow_url_fopen is on. But this is not CentOS
related.
cheers
Sam
More information about the CentOS
mailing list