# Doing a cursory look around and found this...

## tekn0mage

Well it is never a dull moment in the life of a Gentoo (or any server, for that matter) admin. I was perusing on over to /var/tmp on a gut-feeling and found some interesting, albeit outdated files:

```
ark .bb # ls -al

total 681

drwxr-xr-x  2 apache apache    768 Feb  8  2009 .

drwxrwxrwt 29 root   root      776 Oct 13 15:37 ..

-rwxr-xr-x  1 apache apache     65 Feb  8  2009 1

-rwxr-xr-x  1 apache apache     64 Sep  9  2007 DDos.seen

-rw-r--r--  1 apache apache   2911 Feb  3  2009 DIstr-C.seen

-rwxr-xr-x  1 apache apache      0 Aug 31  2006 Floodu.seen

-rw-r--r--  1 apache apache   5642 Feb  8  2009 Rup.seen

-rwxr-xr-x  1 apache apache   8922 Jan 23  2006 b

-rwxr-xr-x  1 apache apache  19557 May  9  2005 b2

-rwxr-xr-x  1 apache apache 266463 May  9  2005 bang.txt

-rwxr-xr-x  1 apache apache   8687 Jan 23  2006 f

-rwxr-xr-x  1 apache apache  14679 Nov  2  2005 f4

-rwxr-xr-x  1 apache apache     81 Aug 16  2006 fwd

-rwxr-xr-x  1 apache apache 152108 Jun  1  2001 httpd

-rwxr-xr-x  1 apache apache  10848 May 29  2005 j

-rwxr-xr-x  1 apache apache  13850 May 29  2005 j2

-rwxr-xr-x  1 apache apache  22983 Jul 29  2004 mech.help

-rw-r--r--  1 apache apache   1064 Feb  8  2009 mech.levels

-rwxr-xr-x  1 apache apache      5 Feb  8  2009 mech.pid

-rw-rw-rw-  1 apache apache    256 Feb  8  2009 mech.session

-rwxr-xr-x  1 apache apache    450 Feb  8  2009 mech.set

-rwxr-xr-x  1 apache apache  15078 Feb 20  2005 s

-rwxr-xr-x  1 apache apache  16776 Sep 18  2002 sl

-rwxr-xr-x  1 apache apache     67 Jul 29  2004 start.sh

-rwxr-xr-x  1 apache apache  15195 Sep  2  2004 std

-rwxr-xr-x  1 apache apache   8790 Jan 23  2006 stream

-rwxr-xr-x  1 apache apache   7091 Jan 23  2006 tty

-rwxr-xr-x  1 apache apache  13687 Nov 19  2002 v

-rwxr-xr-x  1 apache apache  14841 Jul 22  2005 v2

-rwxr-xr-x  1 apache apache    915 Mar  1  2005 x

```

Now those files look pretty unassuming, right? Well, suffice it to say I am not a happy camper. So, my question here is today... what is a good permission setting for /var/tmp? Currently it's sitting at 1777 owned by root:root. Not sure how it got there, as this is an inherited server. Do I really need 777 for this directory? Obviously it's created a bit of a problem.

Thanks for the read.

----------

## DawgG

well this certainly does not look nice to me. and why /var/tmp? shouldn't apache put its tempfiles into /tmp?

i think this is not just a problem of directory-perms/ownership but also of an insecurely configured webapp. this stuff does not belong there and your webapp let it thru. that's the first thing i'd look at; then you can put apache's temp-dir somewhere w/out exec-perms.

GOOD LUCK!

----------

## tekn0mage

Well it does seem possible that the user apache could write to any directory that has 777 for permissions. Some forum software, or insecure php/perl script that writes files could have been used to upload the found files. 

Since the files have been there for so long, I doubt that I can find out how they got there, but conceivably any directory with 777 could be written to. Being that the files are owned by apache/apache, I'm 100% sure they came from an insecure php/perl script that allowed rogue files to be uploaded. The question is is it safe to change the permissions of /var/tmp back to something more secure like 740 owned by root/root, or will portage freak out needing to write files as portage/portage?

I'll address the scripts on the site another time, I just want to know a safe permission to set the /var/tmp directory to.

----------

## Akkara

That mode (that is, 1777, drwxrwxrwt, owned by root:root) is proper for /var/tmp.  It is meant to be a place anyone can write to.

I'm not sure what the apache files are doing there or whether they belong there (I've never used apache).  Also looks odd that the regular files have the 'execute' bit set.  I'm not sure what to make of that.

----------

## Anarcho

I also wondered about /var/tmp (though I don't have suspicious files in there) because it is human readable and has the exec rights in order for portage to work properly.

But I don't want a world-writable directory where files can be executed.

I configured PHP to have only access to the htdocs dir and the tmp dir, so I guess unless there is a whole in PHP (which defintively is, but has to be found   :Rolling Eyes:  ) I'm a bit more secure. But nevertheless, I find it very annoying to have a world-writable and executable dir as every other user-writable dir has no permission to execute (mount option noexec).

I already thought about a wrapper script that remounts exec, emerges and remounts noexec back after emerge is done.

So I would be interesseted in other proposals.

----------

## das bletch

out of curiosity, could you cat DDos.seen, Floodu.seen and start.sh and post?

----------

## tekn0mage

Only if you tell me what you intend to do with the information :-p

----------

## das bletch

Ok, I was curious to try and figure out what the files are intended for. It is odd enough that they were written there, but I am also curious as to what they contain. DDos.seen and flood.seen sound like they could be some sort of IDS log, or something else. What kind of data do they contain? What do scripts do? 

And for the start.sh script, what does it start? and why is it in a directory with a bunch of other suspiciously named files? 

if you feel uncomfortable posting this, thats fine, but my curiosity has no malicious under current to it. If there is any info specific to your server, I would change it first. or you could send it to me (minus your server info) in a private message.

----------

## NeddySeagoon

tekn0mage,

Time to run chrootkit and rootkithunter and any other tools you know of for finding nasty things you should not have.

----------

## jowr

That's stuff folks put in there to do nasty things. Make sure there hasn't been an escalation.

----------

