Re: Attempts to push spam through apache
From: Adrian Popescu (adixpope_at_rdsnet.ro)
Date: 08/23/04
- Previous message: Wayne Frazee: "Re: Attempts to push spam through apache"
- In reply to: Peter H. Lemieux: "Re: Attempts to push spam through apache"
- Next in thread: Gite, Ashish (Security Consultancy): "RE: Attempts to push spam through apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Peter H. Lemieux" <phl@cyways.com> Date: Mon, 23 Aug 2004 08:56:48 +0300
>
> The previous intruder, which I suspect was an automated script and not a
> real person, never got root. The script installed the IRC proxy source in
> /tmp, then compiled and ran it as the apache user. After that happened, I
> blocked apache's access to /tmp by creating a "tmpusers" group to which
> apache doesn't belong, and making /tmp owned by root/tmpusers with 0770
> perms. I don't have to support users on this box, so only a limited number
> of users, like the PostgreSQL owner, need access to /tmp. I was already
> routing other things apache commonly puts in /tmp like PHP session data to
> separate directories so this was a pretty simple fix.
>
> Thanks again!
>
> Peter
You could also mount /tmp on another partition with the "noexec" option.
(in fstab .... defaults,noexec,rw)
Usualy 100-200M will do.
- Previous message: Wayne Frazee: "Re: Attempts to push spam through apache"
- In reply to: Peter H. Lemieux: "Re: Attempts to push spam through apache"
- Next in thread: Gite, Ashish (Security Consultancy): "RE: Attempts to push spam through apache"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
