httpd in /tmp - Sound advice sought

Redmond Militante r-militante at
Tue Feb 8 11:41:04 PST 2005


[Tue, Feb 08, 2005 at 10:46:19AM -0600]
This one time, at band camp, Bret Walker said:

> Redmond-
> Here is the response I got from the list.
> I also found another file - shellbind.c - it's essentially this -
> (although phpBB has never been installed).
> I had register_globals on in PHP for a month+ because a reservation system
> I was using required them.  I now know better.  We also had php errors set
> to display for a while as bugs were being worked out.
> The owner of this file is www, so it was put in /tmp by the apache daemon.
> I messed the file up trying to tar it, so I can't get a good md5.
> Register globals and php file uploads are both off now.  I don't think the
> system was compromised because anything written to /tmp (which is the temp
> dir php defaults to) could not be executed.
> Do you think we're safe to continue as is?

this person is telling you that slapper is nothing to worry about because it's a linux only virus - but if you didn't put httpd in /tmp then you should be worried about this situation.

this is probably your call what you want to do.
> Also, I would like to talk with you about what preventative measures you
> take with herald.  I know you run tripwire, but what else do you do on a
> regular basis?

one thing i do is i read /var/log/messages every day.  do you do that?

> Bret
> -----Original Message-----
> From: owner-freebsd-questions at
> [mailto:owner-freebsd-questions at] On Behalf Of Mark A. Garcia
> Sent: Tuesday, February 08, 2005 9:57 AM
> To: Bret Walker
> Cc: freebsd-questions at
> Subject: Re: httpd in /tmp - Sound advice sought
> Bret Walker wrote:
> >Last night, I ran chkrootkit and it gave me a warning about being
> >infected with Slapper.  Slapper exploits vulnerabilities in OpenSSL up
> >to version 0.96d or older on Linux systems.  I have only run 0.97d.
> >The file that set chkrootkit off was httpd which was located in /tmp.
> >/tmp is always mounted rw, noexec.
> >
> >I update my packages (which are installed via ports) any time there is
> >a security update.  I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
> >2.8.22/OpenSSL 0.97d on 4.10.  Register_globals was on in PHP for a
> >couple of weeks, but the only code that required it to be on was in a
> >.htaccess/SSL password protected directory.
> >
> >Tripwire didn't show anything that I noted as odd.  I reexamined the
> >tripwire logs, which are e-mailed to an account off of the machine
> >immediately after completion, and I don't
> >see anything odd for the 3/4 days before or after the date on the file.
> >(I don't scan /tmp)
> >
> >I stupidly deleted the httpd file from /tmp, which was smaller than the
> >actual apache httpd.  And I don't back up /tmp.
> >
> >The only info I can find regarding this file being in /tmp pertains to
> >Slapper.  Could something have copied a file there?  Could I have done
> >it by mistake at some point - the server's been up ~60 days, plenty of
> >time for me to forget something?
> >
> >This is production box that I very much want to keep up, so I'm seeking
> >some sound advice.
> >
> >Does this box need to be rebuilt?  How could a file get written to
> >/tmp, and is it an issue since it couldn't be executed?  I run tripwire
> >nightly, and haven't seen anything odd to the best of my recollection.
> >I also check ipfstat -t frequently to see if any odd connections are
> >happening.
> >
> >I appreciate any sound advice on this matter.
> >
> >Thanks,
> >Bret
> >
> >
> Slapper is a linux only virus.  You shouldn't have to worry about it
> doing harm on your freebsd machine.  Seeing as the binary was in your
> tmp directory on your system, and that you might have not placed it
> there, this could be a good reason for a host of other things to look
> into.  The httpd binary with 96d<= ssl is not a virus itself, just a
> means to carry out the exploit.  The slapper virus is a bunch of c-code
> that is put in your tmp directory and the exploit allows one to compile,
> chmod, and execute the code, leaving open a backdoor.
> chrootkit does scan for the comparable scalper virus which is a freebsd
> cousin to the slapper (in that they attempt to exploit the machine via
> the apache conduit.)
> I would think real hard, if you did put the httpd binary in there.  If
> you are sure you didn't, and you are the only one with access to the
> system, then I would be very very worried.  Running tripwire and
> chrootkit on a periodic basis should help.  Re-installing the os isn't
> your only solution, but it does give comfort knowing that after a
> reinstall, and locking down the box, no one has a in on your system.
> This could be overboard though.
> You also might want to consider enabling the clean_tmp scripts.  Next
> time tar up those suspicious files, a quick forensics on them can do
> wonders (md5sum, timestamps, ownership, permissions.)
> Cheers,
> -.mag
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at"

Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
 1:30PM  up 1 day,  1:21, 2 users, load averages: 0.00, 0.04, 0.19
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list