[nycbug-talk] Searching for suspect PHP files...
Charles Sprickman
spork at bway.net
Mon Mar 9 22:15:24 EDT 2009
On Mon, 9 Mar 2009, ??? wrote:
>> Yes, /tmp is the favorite directory of all www script kiddies and other
>> crackers. Mounting it noexec can help a little bit, but I also disable
>> world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able
>> to open a remote reverse shell. I really think that php websites
>> nowadays are number one on the crackers' list.
Im coming into this late and addressing the /tmp issue. This is a very,
very simple tip that comes as a result of some type of OCD issue I have
with /tmp. At some point in the last few years I noticed that /tmp
becomes a total trash heap as you install more and more junk on a server.
However I also noticed that a good deal of software that needs a "tmp"
directory of some sort allows you to explicitly specify a path. So my
current procedure is this:
-if a piece of software allows you to specify a path to "/tmp", specify
it, but create a subdirectory in /tmp for it and chown it to the user the
app will be running as
Simple, but using the example of php, you can set a path for the php
session info, the upload dir, etc. (upload_tmp_dir, session.save_path,
eaccelerator.cache_dir). So if you start thinking something
sneaky is going on with php, you are looking at not all of /tmp for crap,
but you can zoom right into the problem area...
Just a handy tip...
Charles
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>
More information about the talk
mailing list