C
CiViX
Guest
We're reallly plagued by script-kiddies uploading scripts to /tmp and executing them via perl. Yes, /tmp IS mounted nosuid,noexec,nodev,noatime so they can't run programs from this directory, but they can run perl from another location using the script (textfile) uploaded in /tmp.
We're running the full rulesets from http://www.gotroot.com/mod_security+rules but still they manage to upload and run the scripts.
I usually find scrips (text-files) in /tmp, but sometimes also in directories with 777-permissions, which customers create to allow webapps to upload files since php runs as apache and not as the user :-(
What happens if I disable perl by chmodding /usr/bin/perl to 000 (as I have done with /usr/bin/*cc*)? Will this break things? Is there a way to stop perl-scripts from being executed like this?
Do anyone have scripts that I can run as a cronjob which kill unknown processes run as user apache for more than 5 minutes (or something)?
We're running the full rulesets from http://www.gotroot.com/mod_security+rules but still they manage to upload and run the scripts.
I usually find scrips (text-files) in /tmp, but sometimes also in directories with 777-permissions, which customers create to allow webapps to upload files since php runs as apache and not as the user :-(
What happens if I disable perl by chmodding /usr/bin/perl to 000 (as I have done with /usr/bin/*cc*)? Will this break things? Is there a way to stop perl-scripts from being executed like this?
Do anyone have scripts that I can run as a cronjob which kill unknown processes run as user apache for more than 5 minutes (or something)?