[nycbug-talk] Searching for suspect PHP files...

Charles Sprickman spork at bway.net
Mon Mar 9 22:15:24 EDT 2009


On Mon, 9 Mar 2009, ??? wrote:

>> Yes, /tmp is the favorite directory of all www script kiddies and other
>> crackers.  Mounting it noexec can help a little bit, but I also disable
>> world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able
>> to open a remote reverse shell.  I really think that php websites
>> nowadays are number one on the crackers' list.

Im coming into this late and addressing the /tmp issue.  This is a very, 
very simple tip that comes as a result of some type of OCD issue I have 
with /tmp.  At some point in the last few years I noticed that /tmp 
becomes a total trash heap as you install more and more junk on a server. 
However I also noticed that a good deal of software that needs a "tmp" 
directory of some sort allows you to explicitly specify a path.  So my 
current procedure is this:

-if a piece of software allows you to specify a path to "/tmp", specify 
it, but create a subdirectory in /tmp for it and chown it to the user the 
app will be running as

Simple, but using the example of php, you can set a path for the php 
session info, the upload dir, etc. (upload_tmp_dir, session.save_path, 
eaccelerator.cache_dir).  So if you start thinking something 
sneaky is going on with php, you are looking at not all of /tmp for crap, 
but you can zoom right into the problem area...

Just a handy tip...

Charles

> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>



More information about the talk mailing list