FollowSome times web servers will show abnormal load or we will get some abuse alert from our DC regarding packet flood from our server. Most of the cases some naughty “.pl” files may be causing this issue.
I have added a new post in security section, for more details about linux server security click here :Linux Server Security
Usually the following will help you to fix these type of hacks permanently .
Phase I ( Find the cause )
check the currently running process using top command
$ nice top -c ( usually you can see some “a.pl / b. pl ” files are running and eating most of the server resources )
Find the exact location of the vulnerable process
$ lsof -p <process id > | more
Null root the file location and move the files to backup for further investigation
for example its running from /tmp/abc
$ mv /tmp/abc /tmp/abc_bkp
$chmod -R 000 /tmp/abc_bkp
$ ps aux | grep .pl
$kill -9 < pid’s >
This will stop to execute the vulnerable file again
Phase II (Prevention is better than cure )
1) Secure /tmp
/tmp is a public place with lots of privileges and permissions for the intruders.
If you are concerned about your webserver security then /tmp should be secured.
$dd if=/dev/zero of=/dev/tmpFS bs=1M count=1024
$/sbin/mkfs.ext3 /dev/tmpFS
Create a backup copy of your current /tmp drive:
$ cp -rpf /tmp /tmpbackup
$mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
$chmod 1777 /tmp
Copy the old data:
$ cp -Rpf /tmpbackup/* /tmp/
$ rm -rf /tmpbackup
Permanent Mounting :-
Edit /etc/fstab and add this:
/dev/tmpFS /tmp ext3 loop,nosuid,noexec,rw 0 0
$ mount -o remount /tmp
Secure /var/tmp:
$ mv /var/tmp /var/tmp1
$ ln -s /tmp /var/tmp
Copy the old data back:
$ cp /var/tmp1/* /tmp/
$ rm -rf /var/tmp1
secure /dev/shm
Change the following in /etc/fstab
“none /dev/shm tmpfs defaults,rw 0 0” to
“none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0”
Remount /dev/shm:
$ mount -o remount /dev/shm
Note that you should restart the services which are using /tmp for their proper working ( eg:- mysql )
2) Compile php as cgi
3) Install apache mod_security
4) Remove shell access for all the users like apache,mysql,nagios,nobody
5) Disable php functions from php.ini
I have added a detailed post in security section : Linux Server Security
Recent Comments