hi,
We had some similar cases before which the hackers installed irc bot
to /tmp. Besides /tmp, "/var/tmp" and any other globally writable
directory are possible target for the intruders to download their
gadget.
I believe the root for the intrusion is very likely the web
applications running on your server, especially those cgi scripts, be
it php or perl. Also check the user rights of your web directories.
Besides disable wget and curl, you should also disable local compilers
(c and c++ at least) or limit it to root user only. Check your apache
http access and error logs, you will find a lot of clues and even the
specific vulnerable scripts.
regards,
Rick
On 8/23/05, AragonX <aragonx@dcsnow.com> wrote:
<quote who="Sean Finkel">
I would recommend also securing /tmp (and /var/tmp). Mounting it noexec
and nosuid is a good step to take. As well, I modified my local wget and
curl programs to *not* download to /tmp or /var/tmp, as no legitimate
use for the program (on my servers) will be downloading files to these
locations. As well, these two programs are commonly used in web script
attacks to retrieve a remote file and execute it.
Thank you for the reply. I believe this is exactly what happened to me.
I found some binaries in the /tmp directory.
As well, install and run regularly (via cron) chkrootkit and rootkit
hunter. You should not rely solely on these programs, but they provide a
nice check that can assist you in finding some of the more common and
known intrusions/rootkits.
I have chkrootkit but did not know about rootkit hunter. Thank you again.
I also have AIDE and Snort setup on this machine.
