The other day, a friend of mine had his Linux webserver compromised because he was running a vulnerable PHP-script. The "hacker" had used a malformed URL to include a wget-command to fetch some stuff off the net and install it in /dev/shm where it ran undetected. Fortunately, the webserver ran as a non-priviledged user, so no serious harm was done.

I cleaned his machine for him and took some preventive measures.

I mounted /dev/shm noexec and I moved (what I thought) all HTTP- and FTP-clients to /root/bin and symlinked those from their original location. This way, only the root-user can use these clients. However... my list of clients was not complete and the "hacker" tried once again (using GET) to compromise the system. This time he failed though, because /dev/shm did not allow execution of his scripts.

The clients I moved to /root/bin included:

• links

• lynx

• wget

• curl

• GET (the one I initially forgot)

• ftp

• tftp

• lftp thanks to LanceBoyles

• snarf thanks to LanceBoyles

but I somehow feel this list is not complete.

Can you help me assemble a complete list of all clients that can be used to download stuff off the net.