The other day, a friend of mine had his Linux webserver compromised because he was running a vulnerable PHP-script. The "hacker" had used a malformed URL to include a wget-command to fetch some stuff off the net and install it in /dev/shm where it ran undetected. Fortunately, the webserver ran as a non-priviledged user, so no serious harm was done.

I cleaned his machine for him and took some preventive measures.

I mounted /dev/shm noexec and I moved (what I thought) all HTTP- and FTP-clients to /root/bin and symlinked those from their original location. This way, only the root-user can use these clients. However... my list of clients was not complete and the "hacker" tried once again (using GET) to compromise the system. This time he failed though, because /dev/shm did not allow execution of his scripts.

The clients I moved to /root/bin included:

• links

• lynx

• wget

• curl

• GET (the one I initially forgot)

• ftp

• tftp

• lftp thanks to LanceBoyles

• snarf thanks to LanceBoyles

but I somehow feel this list is not complete.

Can you help me assemble a complete list of all clients that can be used to download stuff off the net.

lftp and snarf are the only other ones I can think of off the top of my head.

Did you remove the vulnerable PHP script? You really should consider rebuilding that box from scratch and restoring from pre-compromise backup in the event that trojaned programs or backdoors were installed that you didn't detect.

The box could not be brought down, since it was a production-machine for my friend, who hosts websites on it. His businesspartner could not be pursuaded to bring the box down while investigating the incident.
Bitter irony... the box died a week later and had some hardware replaced and its OS newly installed... It's clean now...

I tried to close the box as much as I could and in the end I was very happy with the result (and not to mention the enormous amount of "hacker-goodies" that were left behind). A very good learning-experience!

We did remove the PHP-script, which was part of a PHP-Nuke photo-gallery and asked the owner to look for either a non-vulnerable version of find another gallery. Furthermore, my friend started using a firewall on the box itself and uses very strict rules now.

I also created a script that continuously checks if user "httpd" runs any other software than the webserver itself (which is how I found out about the hack in the first place) and this script was very userful in finding other hidden scripts. I must admit that those trojans are cleverly hidden and are a nice piece of work!

Anyway, thanks for the addition to my list!