apache user submitting file /tmp (exploit)

daemoncesar

• February 12, 2020 12:39

How to find out which account is sending the file in the /tmp directory?

• 

  CarlosManceraK

  • February 12, 2020 21:10

  have you tried the "iotop" tool?

  0
• 

  daemoncesar

  • February 12, 2020 21:35

  iotop is for viewing writing and reading on disk. ...

  0
• 

  daemoncesar

  • February 14, 2020 16:37

  Is there another way to find out? /scripts/ securetmp solves the problem?

  0
• 

  cPanelLauren

  • February 14, 2020 23:26

  The following should do this: grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
  securetmp forces it to be remounted with the nosuid option. This forces a process to run with the same privileges of the user who executes it. It does not keep a user from being able to send mail via a script Tips to Make Your Server More Secure | cPanel & WHM Documentation

  0
• 

  daemoncesar

  • February 19, 2020 19:01

  [root@kepler ~]# grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n 1 1 /home/artelaje/public_html/site/contato 1 /home/blubiers/public_html 2 /home/chiodini/public_html 3 /home/demasul/public_html 4 /usr/local/cpanel/whostmgr/docroot 5 /root 10 /home/grupostarke/public_html 12 /home/babybear/public_html/wp-admin 16 /home/portecsc/public_html/scripts 25 /home/fortcom/public_html 36 /home/babybear/public_html 142 / [root@kepler ~]#

  0
• 

  daemoncesar

  • February 19, 2020 19:03

  can i run the securetmp?

  0
• 

  cPanelLauren

  • February 19, 2020 23:39

  There's nothing stopping you from running /scripts/securetmp
  but it will not stop this behavior. None of your users is sending "from" tmp

  0
• 

  daemoncesar

  • February 22, 2020 13:26

  How do I find the vulnerable file ?

  0
• 

  cPanelLauren

  • February 23, 2020 00:08

  You need to look for the script in the directory mail is originating from as I suggested earlier.

  0
• 

  daemoncesar

  • February 24, 2020 17:30

  The above command accounts, which may be vulnerable ? 1 /home/artelaje/public_html/site/contato 1 /home/blubiers/public_html 2 /home/chiodini/public_html 3 /home/demasul/public_html 4 /usr/local/cpanel/whostmgr/docroot 5 /root 10 /home/grupostarke/public_html 12 /home/babybear/public_html/wp-admin 16 /home/portecsc/public_html/scripts 25 /home/fortcom/public_html 36 /home/babybear/public_html 142 /
  

  0
• 

  cPanelLauren

  • February 25, 2020 00:14

  Hello, I'd have no way to know this, you need to look at the scripts in those directories. If you're not sure how to do this you need to enlist the assistance of a qualified system administrator. If you don't have one you might find one here:

  0
• 

  daemoncesar

  • February 25, 2020 17:16

  I already scanned the server. It has malware in wordpress files. I just want to know which files are sending to /tmp

  0
• 

  daemoncesar

  • February 25, 2020 18:57

  Do you have a problem disabling commands (wget, curl, lynx) and putting permission only for root?

  0

Please sign in to leave a comment.