Ok -- Sent from myMail for Android Thursday, 08 April 2021, 03:48PM -04:00 from Jeffrey Walton noloa...@gmail.com :
>Hi Everyone, > >I'm seeing some funny business in our log files. > >[Thu Apr 08 10:52:20.225624 2021] [php7:notice] [pid 1823] [client >71.179.5.32:29418] PHP Notice: Unknown: file created in the system's >temporary directory in Unknown on line 0, referer: >https://www.cryptopp.com/w/index.php?title=Linux&action=edit > >We override the upload directory for Apache, so nothing should be >written to the system's temporary directory: > ># grep -IR 'temp_dir' /etc >/etc/php/7.4/cli/php.ini:; Defaults to the system default (see >sys_get_temp_dir) >/etc/php/7.4/cli/php.ini:;sys_temp_dir = "/tmp" >/etc/php/7.4/apache2/php.ini:; Defaults to the system default (see >sys_get_temp_dir) >/etc/php/7.4/apache2/php.ini:sys_temp_dir = "/var/lib/php/tmp" > >And: > ># ls -Al /var/lib/php >drwxr-xr-x 3 www-data www-data 4096 Mar 31 17:04 modules >drwx-wx-wt 2 www-data www-data 4096 Mar 27 2020 sessions >drwxr-xr-x 2 www-data www-data 4096 Apr 8 11:37 tmp > >And: > ># grep base /etc/php/7.4/apache2/conf.d/99-security.ini >open_basedir="/var/www/html/:/var/lib/php/" > >We are not sure what is going on. I guess we missed a setting somewhere. > >How is the attacker creating files on the system given they are not logged in? > >Thanks in advance. > >_______________________________________________ >MediaWiki-l mailing list >To unsubscribe, go to: >https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
