From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dwight Hubbard Subject: Re: deleted perl hacks in /tmp Date: Thu, 15 Apr 2010 18:42:04 -0700 Message-ID: <1271382124.25992.7.camel@dhnetboook> References: <20100415213631.GA1251@chris-laptop.a2hosting.com> Reply-To: dwight.hubbard@efausol.com Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20100415213631.GA1251@chris-laptop.a2hosting.com> Sender: linux-admin-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: Chris Cc: linux-admin@vger.kernel.org Have you tried mounting /tmp with the noexec flag? On Thu, 2010-04-15 at 17:36 -0400, Chris wrote: > I have some web servers which occasionally have hacks that are uploaded that > change their name to look like apache and somehow get apache to send requests > to them. The result is that people somewhat randomly get pages advertising > self enhancing drugs etc. The hacks are perl scripts, but they are run from > /tmp and then deleted. Trying to get anything out of /proc/pid/fd/whatever > just yields an empty file. Anyone have any ideas on how to recover the > original script? Right now I just have a process checking for them and > whacking them when I see them, but I'd like to know more about them to actually > prevent them from happening. > > Any thoughts would be appreciated! > > Chris > -- > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html