Re: Linux hardening
From: Sagiko (sagiko_at_gmail.com)
Date: Tue, 23 Aug 2005 09:47:58 +0800 To: AragonX <firstname.lastname@example.org>
We had some similar cases before which the hackers installed irc bot
to /tmp. Besides /tmp, "/var/tmp" and any other globally writable
directory are possible target for the intruders to download their
I believe the root for the intrusion is very likely the web
applications running on your server, especially those cgi scripts, be
it php or perl. Also check the user rights of your web directories.
Besides disable wget and curl, you should also disable local compilers
(c and c++ at least) or limit it to root user only. Check your apache
http access and error logs, you will find a lot of clues and even the
specific vulnerable scripts.
On 8/23/05, AragonX <email@example.com> wrote:
> <quote who="Sean Finkel">
> > I would recommend also securing /tmp (and /var/tmp). Mounting it noexec
> > and nosuid is a good step to take. As well, I modified my local wget and
> > curl programs to *not* download to /tmp or /var/tmp, as no legitimate
> > use for the program (on my servers) will be downloading files to these
> > locations. As well, these two programs are commonly used in web script
> > attacks to retrieve a remote file and execute it.
> Thank you for the reply. I believe this is exactly what happened to me.
> I found some binaries in the /tmp directory.
> > As well, install and run regularly (via cron) chkrootkit and rootkit
> > hunter. You should not rely solely on these programs, but they provide a
> > nice check that can assist you in finding some of the more common and
> > known intrusions/rootkits.
> I have chkrootkit but did not know about rootkit hunter. Thank you again.
> I also have AIDE and Snort setup on this machine.