On 2011-08-01 16:13, Nick Kew wrote:
On Mon, 1 Aug 2011 12:39:44 +0100
Tom Evans<tevans...@googlemail.com> wrote:
On Mon, Aug 1, 2011 at 12:27 PM, vishesh kumar<linuxtovish...@gmail.com> wrote:
Hi Members
I am getting ?????? ??????? ????.doc and ?????? ??????? ????.xls files in
/tmp parition. The owner of all these files are www . I am running apache on
centos . Does it indicate any security breach ?
Vishesh Kumar
Are those questionmarks just how something gets rendered in email?
Not necessarily. Do you run any apps on the server by www, including
PHP? Do they write out temporary files in /tmp before serving them?
"Not necessarily" is a long way from a clear No! If there's an application
that legitimately creates files in /tmp, the sysop should know about it!
I can't think what sort of security breach would be achieved by
placing a few www owned files in /tmp.
A file that might hope to be executed, or fed into something?
Uploading is likely just an early stage of a breakin.
It's the stage immediately preceding it, in fact.
This happens mostly with leaky PHP scripts that allow system() calls;
I've seen some where a minimal script is uploaded and executed (as the
apache user, obviously); this script then wgets the trojan payload and
starts a dozen network daemons on high ports.
Yes, the sysadmin needs to know about this - and kick the offending PHP
script out the door ASAP.
--
J.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
