Have you tried mounting /tmp with the noexec flag?
On Thu, 2010-04-15 at 17:36 -0400, Chris wrote:
> I have some web servers which occasionally have hacks that are uploaded that
> change their name to look like apache and somehow get apache to send requests
> to them. The result is that people somewhat randomly get pages advertising
> self enhancing drugs etc. The hacks are perl scripts, but they are run from
> /tmp and then deleted. Trying to get anything out of /proc/pid/fd/whatever
> just yields an empty file. Anyone have any ideas on how to recover the
> original script? Right now I just have a process checking for them and
> whacking them when I see them, but I'd like to know more about them to actually
> prevent them from happening.
>
> Any thoughts would be appreciated!
>
> Chris
> --
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Newbie]
[Audio]
[Hams]
[Kernel Newbies]
[Util Linux NG]
[Security]
[Netfilter]
[Bugtraq]
[Photo]
[Yosemite Photos]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Linux Device Drivers]
[Samba]
[Video 4 Linux]
[Git]
[Linux Resources]
[Fedora Users]
