I am not sure this necessarily refers to the upload temp directory. Anyway, did you look at https://bugs.php.net/bug.php?id=74189 ? (The port used in that log entry appears to be the one that Gitblit defaults to, incidentally.)
On Thu, Apr 8, 2021 at 3:48 PM Jeffrey Walton <noloa...@gmail.com> wrote: > Hi Everyone, > > I'm seeing some funny business in our log files. > > [Thu Apr 08 10:52:20.225624 2021] [php7:notice] [pid 1823] [client > 71.179.5.32:29418] PHP Notice: Unknown: file created in the system's > temporary directory in Unknown on line 0, referer: > https://www.cryptopp.com/w/index.php?title=Linux&action=edit > > We override the upload directory for Apache, so nothing should be > written to the system's temporary directory: > > # grep -IR 'temp_dir' /etc > /etc/php/7.4/cli/php.ini:; Defaults to the system default (see > sys_get_temp_dir) > /etc/php/7.4/cli/php.ini:;sys_temp_dir = "/tmp" > /etc/php/7.4/apache2/php.ini:; Defaults to the system default (see > sys_get_temp_dir) > /etc/php/7.4/apache2/php.ini:sys_temp_dir = "/var/lib/php/tmp" > > And: > > # ls -Al /var/lib/php > drwxr-xr-x 3 www-data www-data 4096 Mar 31 17:04 modules > drwx-wx-wt 2 www-data www-data 4096 Mar 27 2020 sessions > drwxr-xr-x 2 www-data www-data 4096 Apr 8 11:37 tmp > > And: > > # grep base /etc/php/7.4/apache2/conf.d/99-security.ini > open_basedir="/var/www/html/:/var/lib/php/" > > We are not sure what is going on. I guess we missed a setting somewhere. > > How is the attacker creating files on the system given they are not logged > in? > > Thanks in advance. > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l >
_______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l