httpd in /tmp - Sound advice sought

Bret Walker bret-walker at
Tue Feb 8 05:35:53 PST 2005

Last night, I ran chkrootkit and it gave me a warning about being infected
with Slapper.  Slapper exploits vulnerabilities in OpenSSL up to version
0.96d or older on Linux systems.  I have only run 0.97d.  The file that
set chkrootkit off
was httpd which was located in /tmp.  /tmp is always mounted rw, noexec.

I update my packages (which are installed via ports) any time there is a
security update.  I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
2.8.22/OpenSSL 0.97d on 4.10.  Register_globals was on in PHP for a couple
weeks, but the only code that required it to be on was in a .htaccess/SSL
password protected directory.

Tripwire didn't show anything that I noted as odd.  I reexamined the
tripwire logs,
which are e-mailed to an account off of the machine immediately after
completion, and I don't
see anything odd for the 3/4 days before or after the date on the file.
(I don't scan /tmp)

I stupidly deleted the httpd file from /tmp, which was smaller than the
actual apache httpd.  And I don't back up /tmp.

The only info I can find regarding this file being in /tmp pertains to
Slapper.  Could something have copied a file there?  Could I have done it
by mistake at some point - the server's been up ~60 days, plenty of time
for me to forget something?

This is production box that I very much want to keep up, so I'm seeking
some sound advice.

Does this box need to be rebuilt?  How could a file get written to /tmp,
and is it an issue since it couldn't be executed?  I run tripwire nightly,
and haven't seen anything odd to the best of my recollection.  I also
check ipfstat -t frequently to see if any odd connections are happening.

I appreciate any sound advice on this matter.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3046 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list