Owned by apache in tmp? Sounds like an insecure web app or injection attack. 2009/12/13 Thomas Dukes <tdukes at sc.rr.com> > > > > -----Original Message----- > > From: centos-bounces at centos.org > > [mailto:centos-bounces at centos.org] On Behalf Of Geerd-Dietger Hoffmann > > Sent: Saturday, December 12, 2009 10:18 PM > > To: CentOS mailing list > > Subject: Re: [CentOS] Deleting contents of /tmp on shutdown > > > > On Sun, Dec 13, 2009 at 3:10 AM, Thomas Dukes > > <tdukes at sc.rr.com> wrote: > > >> > Today, I found upd.pl in my tmp directory. The date was > > oct 09. I > > >> > also found my /etc/passwd and /etc/shadow had been changed > > >> with a user > > >> > of 0Profile added. I deleted the old files and restored > > those from > > >> > backup. I ran my chkrootkit and installed mod_security. > > >> SSH is not > > >> > running so I don't know how this happened. > > >> > > >> Perhaps your system is not as simple as you think it is. ;-/ > > >> > > >> --keith > > > > > > > > > Thanks, Keith! > > > > > > Guess I'd better brush up on my vi commands in case I have to boot > > > from a rescue disk. :-) > > > > All you need is [Esc]q! :) > > > > > > > > Just guessing here, but to do this, I need to add: > > > > > > tmpfs /tmp tmpfs size=100M,mode=0755 0 0 To my /etc/fstb > > and cross my > > > fingers? > > > > I would make it a little bigger as 100M depending on how much > > memory you have. And the mode should be the same as /tmp > > would normally be => > > mode=777 :) > > I have 1GB of RAM. What would be a good size? > > > > > If you have been hacked, like it seams you have, you should > > first find out how the guy got in. Do you have a webserver > > running? Firewall enabled? Then just to be safe I would > > always reinstall as you never know what he might have done. > > The udp.pl file was owned by apache. Not sure that would matter. I have > no > cluse as to how it got there. The date on the file was oct 09 and those > logs have already been rotated out. > > > > > Then you can modify the tmp in fstab > > > > Cheers Didi > > Running a full backup now. When complete, I will make the changes to > fstab. > > Thanks!! > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20091213/bd2fd3e4/attachment-0005.html>