Re: Linux hardening

From: Sagiko (
Date: 08/23/05

  • Next message: paavan shah: "linux password cracking tools"
    Date: Tue, 23 Aug 2005 09:47:58 +0800
    To: AragonX <>

    We had some similar cases before which the hackers installed irc bot
    to /tmp. Besides /tmp, "/var/tmp" and any other globally writable
    directory are possible target for the intruders to download their

    I believe the root for the intrusion is very likely the web
    applications running on your server, especially those cgi scripts, be
    it php or perl. Also check the user rights of your web directories.
    Besides disable wget and curl, you should also disable local compilers
    (c and c++ at least) or limit it to root user only. Check your apache
    http access and error logs, you will find a lot of clues and even the
    specific vulnerable scripts.


    On 8/23/05, AragonX <> wrote:
    > <quote who="Sean Finkel">
    > > I would recommend also securing /tmp (and /var/tmp). Mounting it noexec
    > > and nosuid is a good step to take. As well, I modified my local wget and
    > > curl programs to *not* download to /tmp or /var/tmp, as no legitimate
    > > use for the program (on my servers) will be downloading files to these
    > > locations. As well, these two programs are commonly used in web script
    > > attacks to retrieve a remote file and execute it.
    > Thank you for the reply. I believe this is exactly what happened to me.
    > I found some binaries in the /tmp directory.
    > > As well, install and run regularly (via cron) chkrootkit and rootkit
    > > hunter. You should not rely solely on these programs, but they provide a
    > > nice check that can assist you in finding some of the more common and
    > > known intrusions/rootkits.
    > I have chkrootkit but did not know about rootkit hunter. Thank you again.
    > I also have AIDE and Snort setup on this machine.

  • Next message: paavan shah: "linux password cracking tools"