d@tenmaulwurf
22.05.05, 19:21
Hi!
Ich wurde heute über fehlerbringende SQL-Queries informiert. Fehler war "#1030 - Got error 28 from storage engine".
Ma aufm Server geschaut - die /tmp-Parition war zu 100% voll.
Folgende Ordner Hierarchie verbarg sich da hinter:
xyz:/tmp/.tmp# du -cma *
1 ftpd/syslog/BUGS
1 ftpd/syslog/cfg/ansitype.c
1 ftpd/syslog/cfg/configure
1 ftpd/syslog/cfg/inttype.c
1 ftpd/syslog/cfg/longlongformat.c
1 ftpd/syslog/cfg/Makefile
1 ftpd/syslog/cfg/nonansitype.c
1 ftpd/syslog/cfg/sizeof_int.c
1 ftpd/syslog/cfg/sizeof_long.c
1 ftpd/syslog/cfg/sizeof_longlong.c
1 ftpd/syslog/cfg/sizeof_short.c
1 ftpd/syslog/cfg/sizeof_time.c
1 ftpd/syslog/cfg/sizeof_short
1 ftpd/syslog/cfg/sizeof_int
1 ftpd/syslog/cfg/sizeof_long
1 ftpd/syslog/cfg/sizeof_longlong
1 ftpd/syslog/cfg/longlongformat
1 ftpd/syslog/cfg/sizeof_time
1 ftpd/syslog/cfg
1 ftpd/syslog/CHANGES
1 ftpd/syslog/CHANGES.BETA
1 ftpd/syslog/configure
1 ftpd/syslog/DEBUG.HOWTO
1 ftpd/syslog/doc/colors.txt
1 ftpd/syslog/doc/commands.txt
1 ftpd/syslog/doc/develop.txt
1 ftpd/syslog/doc/glconv.txt
1 ftpd/syslog/doc/nuke.txt
1 ftpd/syslog/doc/sections.txt
1 ftpd/syslog/doc/variables.txt
1 ftpd/syslog/doc
1 ftpd/syslog/install.pl
1 ftpd/syslog/lib/ANSIColor.pm
1 ftpd/syslog/lib/cbc-cksum.c
1 ftpd/syslog/lib/cbc-encrypt.c
1 ftpd/syslog/lib/COPYRIGHT
1 ftpd/syslog/lib/des-bitrev.c
1 ftpd/syslog/lib/des-data.c
1 ftpd/syslog/lib/des-expand.c
1 ftpd/syslog/lib/des-fun.c
1 ftpd/syslog/lib/des-fun.h
1 ftpd/syslog/lib/des-hash.c
1 ftpd/syslog/lib/des-hex.c
1 ftpd/syslog/lib/des-perms.c
1 ftpd/syslog/lib/des-private.h
1 ftpd/syslog/lib/des-reverse.c
1 ftpd/syslog/lib/des-spe-64.c
1 ftpd/syslog/lib/des-spe-data.c
1 ftpd/syslog/lib/des-sun-key.c
1 ftpd/syslog/lib/des.h
1 ftpd/syslog/lib/ecb-encrypt-64.c
1 ftpd/syslog/lib/ecb-encrypt-p.c
1 ftpd/syslog/lib/ecb-encrypt.c
1 ftpd/syslog/lib/ecb-encrypt2-64.c
1 ftpd/syslog/lib/ecb-encrypt2.c
1 ftpd/syslog/lib/eight.h
1 ftpd/syslog/lib/fp-rev.h
1 ftpd/syslog/lib/fp.h
1 ftpd/syslog/lib/ip-rev.h
1 ftpd/syslog/lib/ip.h
1 ftpd/syslog/lib/ksched-fast.c
1 ftpd/syslog/lib/ksched.c
1 ftpd/syslog/lib/ksched.h
1 ftpd/syslog/lib/Makefile
1 ftpd/syslog/lib/new-crypt.c
1 ftpd/syslog/lib/parity8.h
1 ftpd/syslog/lib/pcbc-encrypt.c
1 ftpd/syslog/lib/readme
1 ftpd/syslog/lib/RELEASE-TEXT
1 ftpd/syslog/lib/spe-table-64.h
1 ftpd/syslog/lib/spe-table.h
1 ftpd/syslog/lib/str-to-key.c
1 ftpd/syslog/lib/sun-cbc-crypt.c
1 ftpd/syslog/lib/sun-ecb-crypt.c
1 ftpd/syslog/lib/sun-parity.h
1 ftpd/syslog/lib/sun-setpar.c
1 ftpd/syslog/lib/unix-crypt.c
1 ftpd/syslog/lib/version
1 ftpd/syslog/lib
1 ftpd/syslog/LICENSE
1 ftpd/syslog/misc/sitebot/ircwho.tcl
1 ftpd/syslog/misc/sitebot/openftpd_sitebot.tcl
1 ftpd/syslog/misc/sitebot
1 ftpd/syslog/misc
1 ftpd/syslog/README
1 ftpd/syslog/refresh
1 ftpd/syslog/src/common/commondef.h
1 ftpd/syslog/src/common/rfc931.c
1 ftpd/syslog/src/common/rfc931.h
1 ftpd/syslog/src/common/setenv.c
1 ftpd/syslog/src/common/setenv.h
1 ftpd/syslog/src/common/utils.c
1 ftpd/syslog/src/common/utils.h
1 ftpd/syslog/src/common/Makefile
1 ftpd/syslog/src/common/tweak.h
1 ftpd/syslog/src/common/rfc931.o
1 ftpd/syslog/src/common/setenv.o
1 ftpd/syslog/src/common/utils.o
1 ftpd/syslog/src/common
1 ftpd/syslog/src/diffall.sh
1 ftpd/syslog/src/ftpa/defines.h
1 ftpd/syslog/src/ftpa/ftpa.c
1 ftpd/syslog/src/ftpa/Makefile
1 ftpd/syslog/src/ftpa/ftpa.o
1 ftpd/syslog/src/ftpa
1 ftpd/syslog/src/ftpd/debug.c
1 ftpd/syslog/src/ftpd/debug.h
1 ftpd/syslog/src/ftpd/definesd.h
1 ftpd/syslog/src/ftpd/dupecheck.c
1 ftpd/syslog/src/ftpd/dupecheck.h
1 ftpd/syslog/src/ftpd/externsd.h
1 ftpd/syslog/src/ftpd/f4adp_admin.c
1 ftpd/syslog/src/ftpd/f4adp_admin.h
1 ftpd/syslog/src/ftpd/f4adp_config.c
1 ftpd/syslog/src/ftpd/f4adp_config.h
1 ftpd/syslog/src/ftpd/f4adp_group.c
1 ftpd/syslog/src/ftpd/f4adp_group.h
1 ftpd/syslog/src/ftpd/f4adp_ipban.c
1 ftpd/syslog/src/ftpd/f4adp_ipban.h
1 ftpd/syslog/src/ftpd/f4adp_message.c
1 ftpd/syslog/src/ftpd/f4adp_message.h
1 ftpd/syslog/src/ftpd/f4adp_server.c
1 ftpd/syslog/src/ftpd/f4adp_server.h
1 ftpd/syslog/src/ftpd/f4adp_user.c
1 ftpd/syslog/src/ftpd/f4adp_user.h
1 ftpd/syslog/src/ftpd/ftpd.c
1 ftpd/syslog/src/ftpd/ftpd.h
1 ftpd/syslog/src/ftpd/globalsd.h
1 ftpd/syslog/src/ftpd/group.c
1 ftpd/syslog/src/ftpd/group.h
1 ftpd/syslog/src/ftpd/limits.c
1 ftpd/syslog/src/ftpd/limits.h
1 ftpd/syslog/src/ftpd/log.c
1 ftpd/syslog/src/ftpd/log.h
1 ftpd/syslog/src/ftpd/registry.c
1 ftpd/syslog/src/ftpd/registry.h
1 ftpd/syslog/src/ftpd/reject.c
1 ftpd/syslog/src/ftpd/reject.h
1 ftpd/syslog/src/ftpd/sections.c
1 ftpd/syslog/src/ftpd/sections.h
1 ftpd/syslog/src/ftpd/serverd.c
1 ftpd/syslog/src/ftpd/serverd.h
1 ftpd/syslog/src/ftpd/stat.c
1 ftpd/syslog/src/ftpd/stat.h
1 ftpd/syslog/src/ftpd/user.c
1 ftpd/syslog/src/ftpd/user.h
1 ftpd/syslog/src/ftpd/Makefile
1 ftpd/syslog/src/ftpd/debug.o
1 ftpd/syslog/src/ftpd/f4adp_admin.o
1 ftpd/syslog/src/ftpd/f4adp_config.o
1 ftpd/syslog/src/ftpd/f4adp_group.o
1 ftpd/syslog/src/ftpd/f4adp_ipban.o
1 ftpd/syslog/src/ftpd/f4adp_message.o
1 ftpd/syslog/src/ftpd/f4adp_server.o
1 ftpd/syslog/src/ftpd/f4adp_user.o
1 ftpd/syslog/src/ftpd/ftpd.o
1 ftpd/syslog/src/ftpd/group.o
1 ftpd/syslog/src/ftpd/limits.o
1 ftpd/syslog/src/ftpd/log.o
1 ftpd/syslog/src/ftpd/registry.o
1 ftpd/syslog/src/ftpd/reject.o
1 ftpd/syslog/src/ftpd/sections.o
1 ftpd/syslog/src/ftpd/serverd.o
1 ftpd/syslog/src/ftpd/stat.o
1 ftpd/syslog/src/ftpd/user.o
1 ftpd/syslog/src/ftpd/dupecheck.o
2 ftpd/syslog/src/ftpd
1 ftpd/syslog/src/ftps/commands.c
1 ftpd/syslog/src/ftps/common.c
1 ftpd/syslog/src/ftps/common.h
1 ftpd/syslog/src/ftps/config.c
1 ftpd/syslog/src/ftps/config.h
1 ftpd/syslog/src/ftps/defines.h
1 ftpd/syslog/src/ftps/dir.c
1 ftpd/syslog/src/ftps/externs.h
1 ftpd/syslog/src/ftps/ftps.c
1 ftpd/syslog/src/ftps/ftps.h
1 ftpd/syslog/src/ftps/globals.h
1 ftpd/syslog/src/ftps/list.c
1 ftpd/syslog/src/ftps/list.h
1 ftpd/syslog/src/ftps/log.c
1 ftpd/syslog/src/ftps/log.h
1 ftpd/syslog/src/ftps/login.c
1 ftpd/syslog/src/ftps/nuke.c
1 ftpd/syslog/src/ftps/nuke.h
1 ftpd/syslog/src/ftps/perm.c
1 ftpd/syslog/src/ftps/perm.h
1 ftpd/syslog/src/ftps/site.c
1 ftpd/syslog/src/ftps/site.h
1 ftpd/syslog/src/ftps/transfer.c
1 ftpd/syslog/src/ftps/transfer.h
1 ftpd/syslog/src/ftps/Makefile
1 ftpd/syslog/src/ftps/commands.o
1 ftpd/syslog/src/ftps/common.o
1 ftpd/syslog/src/ftps/config.o
1 ftpd/syslog/src/ftps/dir.o
1 ftpd/syslog/src/ftps/ftps.o
1 ftpd/syslog/src/ftps/list.o
1 ftpd/syslog/src/ftps/log.o
1 ftpd/syslog/src/ftps/login.o
1 ftpd/syslog/src/ftps/perm.o
1 ftpd/syslog/src/ftps/site.o
1 ftpd/syslog/src/ftps/transfer.o
1 ftpd/syslog/src/ftps/nuke.o
1 ftpd/syslog/src/ftps
1 ftpd/syslog/src/misc/checksum.c
1 ftpd/syslog/src/misc/glconv.c
1 ftpd/syslog/src/misc/glconv.h
1 ftpd/syslog/src/misc/msg.c
1 ftpd/syslog/src/misc/Makefile
1 ftpd/syslog/src/misc/checksum.o
1 ftpd/syslog/src/misc/msg.o
1 ftpd/syslog/src/misc/glconv.o
1 ftpd/syslog/src/misc
1 ftpd/syslog/src/Makefile
2 ftpd/syslog/src
1 ftpd/syslog/standard/bin/dirdupe.pl
1 ftpd/syslog/standard/bin/dirundupe.pl
1 ftpd/syslog/standard/bin/fillrequest.pl
1 ftpd/syslog/standard/bin/force_sfv.pl
1 ftpd/syslog/standard/bin/glconv.pl
0 ftpd/syslog/standard/bin/grp
1 ftpd/syslog/standard/bin/infoline.pl
1 ftpd/syslog/standard/bin/lastdirs.pl
1 ftpd/syslog/standard/bin/mkdir.pl
1 ftpd/syslog/standard/bin/msgcheck.sh
1 ftpd/syslog/standard/bin/nuke.pl
1 ftpd/syslog/standard/bin/oneliner.pl
1 ftpd/syslog/standard/bin/pre.pl
1 ftpd/syslog/standard/bin/primecheck.pl
1 ftpd/syslog/standard/bin/primetools.pm
1 ftpd/syslog/standard/bin/request.pl
1 ftpd/syslog/standard/bin/rules.sh
1 ftpd/syslog/standard/bin/sitebot.pl
1 ftpd/syslog/standard/bin/sitebot1.pl
1 ftpd/syslog/standard/bin/stats.pl
1 ftpd/syslog/standard/bin/test
0 ftpd/syslog/standard/bin/usr
1 ftpd/syslog/standard/bin/checksum
1 ftpd/syslog/standard/bin/msg
1 ftpd/syslog/standard/bin/glconv
1 ftpd/syslog/standard/bin
1 ftpd/syslog/standard/etc/cdpath.cfg
1 ftpd/syslog/standard/etc/check.cfg
1 ftpd/syslog/standard/etc/checkdirdupe.cfg
1 ftpd/syslog/standard/etc/checkdupe.cfg
1 ftpd/syslog/standard/etc/customcmd.cfg
1 ftpd/syslog/standard/etc/dirshortcut.cfg
1 ftpd/syslog/standard/etc/ftpd.reg
1 ftpd/syslog/standard/etc/limits.cfg
1 ftpd/syslog/standard/etc/rel_nfo.lst
1 ftpd/syslog/standard/etc/sections/0day.cfg
1 ftpd/syslog/standard/etc/sections/default.cfg
1 ftpd/syslog/standard/etc/sections/groups.cfg
1 ftpd/syslog/standard/etc/sections/iso.cfg
1 ftpd/syslog/standard/etc/sections/mp3.cfg
1 ftpd/syslog/standard/etc/sections/private.cfg
1 ftpd/syslog/standard/etc/sections/request.cfg
1 ftpd/syslog/standard/etc/sections/video.cfg
1 ftpd/syslog/standard/etc/sections
1 ftpd/syslog/standard/etc/sections.cfg
0 ftpd/syslog/standard/etc/stats/default.stat
0 ftpd/syslog/standard/etc/stats/iso.stat
0 ftpd/syslog/standard/etc/stats/video.stat
0 ftpd/syslog/standard/etc/stats/mp3.stat
0 ftpd/syslog/standard/etc/stats/0day.stat
0 ftpd/syslog/standard/etc/stats/request.stat
0 ftpd/syslog/standard/etc/stats/groups.stat
0 ftpd/syslog/standard/etc/stats
1 ftpd/syslog/standard/etc/users
1 ftpd/syslog/standard/etc/groups
0 ftpd/syslog/standard/etc/users.tmp
1 ftpd/syslog/standard/etc
1 ftpd/syslog/standard/help/addgroupop.privileged
1 ftpd/syslog/standard/help/addgrp.privileged
1 ftpd/syslog/standard/help/addip.privileged
1 ftpd/syslog/standard/help/addnuker.privileged
1 ftpd/syslog/standard/help/addsiteop.privileged
1 ftpd/syslog/standard/help/addunduper.privileged
1 ftpd/syslog/standard/help/adduser.privileged
1 ftpd/syslog/standard/help/bind.privileged
1 ftpd/syslog/standard/help/chgrp.privileged
1 ftpd/syslog/standard/help/chmod.privileged
1 ftpd/syslog/standard/help/chmodr.privileged
1 ftpd/syslog/standard/help/chown.privileged
1 ftpd/syslog/standard/help/chownr.privileged
1 ftpd/syslog/standard/help/close.privileged
1 ftpd/syslog/standard/help/color
1 ftpd/syslog/standard/help/count
1 ftpd/syslog/standard/help/del.privileged
1 ftpd/syslog/standard/help/delgroupop.privileged
1 ftpd/syslog/standard/help/delgrp.privileged
1 ftpd/syslog/standard/help/delip.privileged
1 ftpd/syslog/standard/help/delnuker.privileged
1 ftpd/syslog/standard/help/delsiteop.privileged
1 ftpd/syslog/standard/help/delunduper.privileged
1 ftpd/syslog/standard/help/deluser.privileged
1 ftpd/syslog/standard/help/disable.privileged
1 ftpd/syslog/standard/help/dump.privileged
1 ftpd/syslog/standard/help/enable.privileged
1 ftpd/syslog/standard/help/exec.privileged
1 ftpd/syslog/standard/help/ff
1 ftpd/syslog/standard/help/fillrequest
1 ftpd/syslog/standard/help/gadduser
1 ftpd/syslog/standard/help/ginfo
1 ftpd/syslog/standard/help/give
1 ftpd/syslog/standard/help/group.change.privileged
1 ftpd/syslog/standard/help/group.normal
1 ftpd/syslog/standard/help/group.privileged
1 ftpd/syslog/standard/help/groups.normal
1 ftpd/syslog/standard/help/groups.privileged
1 ftpd/syslog/standard/help/help.normal
1 ftpd/syslog/standard/help/help.privileged
1 ftpd/syslog/standard/help/idle
1 ftpd/syslog/standard/help/info
1 ftpd/syslog/standard/help/ipban.privileged
1 ftpd/syslog/standard/help/kick.privileged
1 ftpd/syslog/standard/help/kill.privileged
1 ftpd/syslog/standard/help/lgrp
1 ftpd/syslog/standard/help/luser
1 ftpd/syslog/standard/help/mod
1 ftpd/syslog/standard/help/msg
1 ftpd/syslog/standard/help/nuke
1 ftpd/syslog/standard/help/open.privileged
1 ftpd/syslog/standard/help/passwd
1 ftpd/syslog/standard/help/reconfig.privileged
1 ftpd/syslog/standard/help/reg.privileged
1 ftpd/syslog/standard/help/request
1 ftpd/syslog/standard/help/rights
1 ftpd/syslog/standard/help/run.privileged
1 ftpd/syslog/standard/help/sec.privileged
1 ftpd/syslog/standard/help/section.list.privileged
1 ftpd/syslog/standard/help/section.normal
1 ftpd/syslog/standard/help/section.privileged
1 ftpd/syslog/standard/help/setginfo.privileged
1 ftpd/syslog/standard/help/setinfo.privileged
1 ftpd/syslog/standard/help/shutdown.privileged
1 ftpd/syslog/standard/help/stats
1 ftpd/syslog/standard/help/swho.privileged
1 ftpd/syslog/standard/help/take.privileged
1 ftpd/syslog/standard/help/traffic
1 ftpd/syslog/standard/help/undupe
1 ftpd/syslog/standard/help/unnuke
1 ftpd/syslog/standard/help/user.add.privileged
1 ftpd/syslog/standard/help/user.change.privileged
1 ftpd/syslog/standard/help/user.list.privileged
1 ftpd/syslog/standard/help/user.normal
1 ftpd/syslog/standard/help/user.privileged
1 ftpd/syslog/standard/help/user.reset.privileged
1 ftpd/syslog/standard/help/users
1 ftpd/syslog/standard/help/usr.add.privileged
1 ftpd/syslog/standard/help/usr.change.privileged
1 ftpd/syslog/standard/help/usr.list.privileged
1 ftpd/syslog/standard/help/usr.normal
1 ftpd/syslog/standard/help/usr.privileged
1 ftpd/syslog/standard/help/usr.reset.privileged
1 ftpd/syslog/standard/help/version
1 ftpd/syslog/standard/help/w
1 ftpd/syslog/standard/help/who
1 ftpd/syslog/standard/help
1 ftpd/syslog/standard/log/directory.log
0 ftpd/syslog/standard/log/request.log
0 ftpd/syslog/standard/log/stats/global.txt
0 ftpd/syslog/standard/log/stats/equest.txt
0 ftpd/syslog/standard/log/stats/roups.txt
0 ftpd/syslog/standard/log/stats/ideo.txt
0 ftpd/syslog/standard/log/stats/day.txt
0 ftpd/syslog/standard/log/stats/so.txt
0 ftpd/syslog/standard/log/stats/p3.txt
0 ftpd/syslog/standard/log/stats/efault.txt
0 ftpd/syslog/standard/log/stats
1 ftpd/syslog/standard/log/ftpd.err
0 ftpd/syslog/standard/log/ftps.err
0 ftpd/syslog/standard/log/ftpd.log
1 ftpd/syslog/standard/log/ftpd.pid
0 ftpd/syslog/standard/log/current.log
1 ftpd/syslog/standard/log/dupe.log
1 ftpd/syslog/standard/log
1 ftpd/syslog/standard/msg/chdir
1 ftpd/syslog/standard/msg/goodbye
0 ftpd/syslog/standard/msg/grp
1 ftpd/syslog/standard/msg/irc/complete
1 ftpd/syslog/standard/msg/irc/completetable_body
1 ftpd/syslog/standard/msg/irc/completetable_tail
1 ftpd/syslog/standard/msg/irc/completetable_top
1 ftpd/syslog/standard/msg/irc/fillrequest
1 ftpd/syslog/standard/msg/irc/joinrace
1 ftpd/syslog/standard/msg/irc/newdir
1 ftpd/syslog/standard/msg/irc/nuke
1 ftpd/syslog/standard/msg/irc/nukee
1 ftpd/syslog/standard/msg/irc/pre
1 ftpd/syslog/standard/msg/irc/race
1 ftpd/syslog/standard/msg/irc/request
1 ftpd/syslog/standard/msg/irc/unnuke
1 ftpd/syslog/standard/msg/irc/unnukee
1 ftpd/syslog/standard/msg/irc/update
1 ftpd/syslog/standard/msg/irc
1 ftpd/syslog/standard/msg/list
1 ftpd/syslog/standard/msg/mkdir
1 ftpd/syslog/standard/msg/nuke
1 ftpd/syslog/standard/msg/onel_tail
1 ftpd/syslog/standard/msg/onel_top
1 ftpd/syslog/standard/msg/req_tail
1 ftpd/syslog/standard/msg/req_top
1 ftpd/syslog/standard/msg/rmdir
1 ftpd/syslog/standard/msg/rules
1 ftpd/syslog/standard/msg/startup
1 ftpd/syslog/standard/msg/stat_tail
1 ftpd/syslog/standard/msg/stat_top
1 ftpd/syslog/standard/msg/swho_body
1 ftpd/syslog/standard/msg/swho_tail
1 ftpd/syslog/standard/msg/swho_top
1 ftpd/syslog/standard/msg/unnuke
0 ftpd/syslog/standard/msg/usr
1 ftpd/syslog/standard/msg/welcome
1 ftpd/syslog/standard/msg/who_body
1 ftpd/syslog/standard/msg/who_tail
1 ftpd/syslog/standard/msg/who_top
1 ftpd/syslog/standard/msg
1 ftpd/syslog/standard/sbin/site/.permissions
10 ftpd/syslog/standard/sbin/site/10
15 ftpd/syslog/standard/sbin/site/etm-orgiontour.r18
0 ftpd/syslog/standard/sbin/site/[Film]/.permissions
1 ftpd/syslog/standard/sbin/site/[Film]/.status
1 ftpd/syslog/standard/sbin/ftpa
1 ftpd/syslog/standard/sbin/ftps
1 ftpd/syslog/standard/sbin/httpd
2849 ftpd/syslog/standard/sbin
2850 ftpd/syslog/standard
1 ftpd/syslog/TODO
1 ftpd/syslog/VERSION
1 ftpd/syslog/Makefile
2852 ftpd/syslog
2852 ftpd
1 ftpd.tar.gz
1 my/shellbind.c
1 my/httpd
1 my
2853 insgesamt
OK. Alle Services runtergefahren - überlegt was zu tun ist, bzw. versucht den Angriff nachzuvollziehen.
Es lief ein openftp-server und ein spezifischer httpd-server.
Ganz /tmp/.tmp/ gehört www-data:www-data. Daraus schließe ich, dass der Angriff über den Apache, PHP stattfand.
OK, wahrscheinlich Codeinjection... das Problem: php habe ich ein eigenes tmp-dir zugewiesen /xyz/tmp. Dort landet alles, was mit php zu tun hat (offene sessions, etc.).
Der Apache legt jedoch weiterhin alles in /tmp ab. Ich weiß jetzt (noch) nicht, inwiefern da differenziert wird bzw. wo da die Grenze liegt.
In /xyz/tmp befanden sich jedenfalls keine auffälligen Dateien drin.
Jeder vhost-User hatte die openbasedirektive in sein eigenes und in das /xyz/tmp-dir (php-temp-dir) zu schreiben/lesen - das /tmp-dir war damit (eigentlich) ausgeschlossen.
Jetzt meine Frage: Wie hat der User Zugriff auf /tmp bekommen, wenn es in der openBaseDir-Direktive jedoch nicht eingetragen war?
Vllt. seh' ich grad den Wald vor lauter Bäumen nicht mehr.
Ich bitte euch außerdem noch darum, mich jetzt nicht gleich als unfähigen Admin abzustempeln :x Habe mir sehr große Mühe gegeben beim Aufsetzen des Servers.
Wenn ihr mehr infos braucht bzw. Inhalt von Dateien sehen möchtet, müsst ihr nur posten.
Ich guck mir jetzt mal weiter die logs an.
Was ich mir mit diesem Thread erhoffe?
Vllt. hat ja jmd. einen ähnlichen Angriff erlitten, eine ähnliche Ordnerstruktur vorgefunden, etc...
Vielen Dank !!
d@tenmaulwurf
Ich wurde heute über fehlerbringende SQL-Queries informiert. Fehler war "#1030 - Got error 28 from storage engine".
Ma aufm Server geschaut - die /tmp-Parition war zu 100% voll.
Folgende Ordner Hierarchie verbarg sich da hinter:
xyz:/tmp/.tmp# du -cma *
1 ftpd/syslog/BUGS
1 ftpd/syslog/cfg/ansitype.c
1 ftpd/syslog/cfg/configure
1 ftpd/syslog/cfg/inttype.c
1 ftpd/syslog/cfg/longlongformat.c
1 ftpd/syslog/cfg/Makefile
1 ftpd/syslog/cfg/nonansitype.c
1 ftpd/syslog/cfg/sizeof_int.c
1 ftpd/syslog/cfg/sizeof_long.c
1 ftpd/syslog/cfg/sizeof_longlong.c
1 ftpd/syslog/cfg/sizeof_short.c
1 ftpd/syslog/cfg/sizeof_time.c
1 ftpd/syslog/cfg/sizeof_short
1 ftpd/syslog/cfg/sizeof_int
1 ftpd/syslog/cfg/sizeof_long
1 ftpd/syslog/cfg/sizeof_longlong
1 ftpd/syslog/cfg/longlongformat
1 ftpd/syslog/cfg/sizeof_time
1 ftpd/syslog/cfg
1 ftpd/syslog/CHANGES
1 ftpd/syslog/CHANGES.BETA
1 ftpd/syslog/configure
1 ftpd/syslog/DEBUG.HOWTO
1 ftpd/syslog/doc/colors.txt
1 ftpd/syslog/doc/commands.txt
1 ftpd/syslog/doc/develop.txt
1 ftpd/syslog/doc/glconv.txt
1 ftpd/syslog/doc/nuke.txt
1 ftpd/syslog/doc/sections.txt
1 ftpd/syslog/doc/variables.txt
1 ftpd/syslog/doc
1 ftpd/syslog/install.pl
1 ftpd/syslog/lib/ANSIColor.pm
1 ftpd/syslog/lib/cbc-cksum.c
1 ftpd/syslog/lib/cbc-encrypt.c
1 ftpd/syslog/lib/COPYRIGHT
1 ftpd/syslog/lib/des-bitrev.c
1 ftpd/syslog/lib/des-data.c
1 ftpd/syslog/lib/des-expand.c
1 ftpd/syslog/lib/des-fun.c
1 ftpd/syslog/lib/des-fun.h
1 ftpd/syslog/lib/des-hash.c
1 ftpd/syslog/lib/des-hex.c
1 ftpd/syslog/lib/des-perms.c
1 ftpd/syslog/lib/des-private.h
1 ftpd/syslog/lib/des-reverse.c
1 ftpd/syslog/lib/des-spe-64.c
1 ftpd/syslog/lib/des-spe-data.c
1 ftpd/syslog/lib/des-sun-key.c
1 ftpd/syslog/lib/des.h
1 ftpd/syslog/lib/ecb-encrypt-64.c
1 ftpd/syslog/lib/ecb-encrypt-p.c
1 ftpd/syslog/lib/ecb-encrypt.c
1 ftpd/syslog/lib/ecb-encrypt2-64.c
1 ftpd/syslog/lib/ecb-encrypt2.c
1 ftpd/syslog/lib/eight.h
1 ftpd/syslog/lib/fp-rev.h
1 ftpd/syslog/lib/fp.h
1 ftpd/syslog/lib/ip-rev.h
1 ftpd/syslog/lib/ip.h
1 ftpd/syslog/lib/ksched-fast.c
1 ftpd/syslog/lib/ksched.c
1 ftpd/syslog/lib/ksched.h
1 ftpd/syslog/lib/Makefile
1 ftpd/syslog/lib/new-crypt.c
1 ftpd/syslog/lib/parity8.h
1 ftpd/syslog/lib/pcbc-encrypt.c
1 ftpd/syslog/lib/readme
1 ftpd/syslog/lib/RELEASE-TEXT
1 ftpd/syslog/lib/spe-table-64.h
1 ftpd/syslog/lib/spe-table.h
1 ftpd/syslog/lib/str-to-key.c
1 ftpd/syslog/lib/sun-cbc-crypt.c
1 ftpd/syslog/lib/sun-ecb-crypt.c
1 ftpd/syslog/lib/sun-parity.h
1 ftpd/syslog/lib/sun-setpar.c
1 ftpd/syslog/lib/unix-crypt.c
1 ftpd/syslog/lib/version
1 ftpd/syslog/lib
1 ftpd/syslog/LICENSE
1 ftpd/syslog/misc/sitebot/ircwho.tcl
1 ftpd/syslog/misc/sitebot/openftpd_sitebot.tcl
1 ftpd/syslog/misc/sitebot
1 ftpd/syslog/misc
1 ftpd/syslog/README
1 ftpd/syslog/refresh
1 ftpd/syslog/src/common/commondef.h
1 ftpd/syslog/src/common/rfc931.c
1 ftpd/syslog/src/common/rfc931.h
1 ftpd/syslog/src/common/setenv.c
1 ftpd/syslog/src/common/setenv.h
1 ftpd/syslog/src/common/utils.c
1 ftpd/syslog/src/common/utils.h
1 ftpd/syslog/src/common/Makefile
1 ftpd/syslog/src/common/tweak.h
1 ftpd/syslog/src/common/rfc931.o
1 ftpd/syslog/src/common/setenv.o
1 ftpd/syslog/src/common/utils.o
1 ftpd/syslog/src/common
1 ftpd/syslog/src/diffall.sh
1 ftpd/syslog/src/ftpa/defines.h
1 ftpd/syslog/src/ftpa/ftpa.c
1 ftpd/syslog/src/ftpa/Makefile
1 ftpd/syslog/src/ftpa/ftpa.o
1 ftpd/syslog/src/ftpa
1 ftpd/syslog/src/ftpd/debug.c
1 ftpd/syslog/src/ftpd/debug.h
1 ftpd/syslog/src/ftpd/definesd.h
1 ftpd/syslog/src/ftpd/dupecheck.c
1 ftpd/syslog/src/ftpd/dupecheck.h
1 ftpd/syslog/src/ftpd/externsd.h
1 ftpd/syslog/src/ftpd/f4adp_admin.c
1 ftpd/syslog/src/ftpd/f4adp_admin.h
1 ftpd/syslog/src/ftpd/f4adp_config.c
1 ftpd/syslog/src/ftpd/f4adp_config.h
1 ftpd/syslog/src/ftpd/f4adp_group.c
1 ftpd/syslog/src/ftpd/f4adp_group.h
1 ftpd/syslog/src/ftpd/f4adp_ipban.c
1 ftpd/syslog/src/ftpd/f4adp_ipban.h
1 ftpd/syslog/src/ftpd/f4adp_message.c
1 ftpd/syslog/src/ftpd/f4adp_message.h
1 ftpd/syslog/src/ftpd/f4adp_server.c
1 ftpd/syslog/src/ftpd/f4adp_server.h
1 ftpd/syslog/src/ftpd/f4adp_user.c
1 ftpd/syslog/src/ftpd/f4adp_user.h
1 ftpd/syslog/src/ftpd/ftpd.c
1 ftpd/syslog/src/ftpd/ftpd.h
1 ftpd/syslog/src/ftpd/globalsd.h
1 ftpd/syslog/src/ftpd/group.c
1 ftpd/syslog/src/ftpd/group.h
1 ftpd/syslog/src/ftpd/limits.c
1 ftpd/syslog/src/ftpd/limits.h
1 ftpd/syslog/src/ftpd/log.c
1 ftpd/syslog/src/ftpd/log.h
1 ftpd/syslog/src/ftpd/registry.c
1 ftpd/syslog/src/ftpd/registry.h
1 ftpd/syslog/src/ftpd/reject.c
1 ftpd/syslog/src/ftpd/reject.h
1 ftpd/syslog/src/ftpd/sections.c
1 ftpd/syslog/src/ftpd/sections.h
1 ftpd/syslog/src/ftpd/serverd.c
1 ftpd/syslog/src/ftpd/serverd.h
1 ftpd/syslog/src/ftpd/stat.c
1 ftpd/syslog/src/ftpd/stat.h
1 ftpd/syslog/src/ftpd/user.c
1 ftpd/syslog/src/ftpd/user.h
1 ftpd/syslog/src/ftpd/Makefile
1 ftpd/syslog/src/ftpd/debug.o
1 ftpd/syslog/src/ftpd/f4adp_admin.o
1 ftpd/syslog/src/ftpd/f4adp_config.o
1 ftpd/syslog/src/ftpd/f4adp_group.o
1 ftpd/syslog/src/ftpd/f4adp_ipban.o
1 ftpd/syslog/src/ftpd/f4adp_message.o
1 ftpd/syslog/src/ftpd/f4adp_server.o
1 ftpd/syslog/src/ftpd/f4adp_user.o
1 ftpd/syslog/src/ftpd/ftpd.o
1 ftpd/syslog/src/ftpd/group.o
1 ftpd/syslog/src/ftpd/limits.o
1 ftpd/syslog/src/ftpd/log.o
1 ftpd/syslog/src/ftpd/registry.o
1 ftpd/syslog/src/ftpd/reject.o
1 ftpd/syslog/src/ftpd/sections.o
1 ftpd/syslog/src/ftpd/serverd.o
1 ftpd/syslog/src/ftpd/stat.o
1 ftpd/syslog/src/ftpd/user.o
1 ftpd/syslog/src/ftpd/dupecheck.o
2 ftpd/syslog/src/ftpd
1 ftpd/syslog/src/ftps/commands.c
1 ftpd/syslog/src/ftps/common.c
1 ftpd/syslog/src/ftps/common.h
1 ftpd/syslog/src/ftps/config.c
1 ftpd/syslog/src/ftps/config.h
1 ftpd/syslog/src/ftps/defines.h
1 ftpd/syslog/src/ftps/dir.c
1 ftpd/syslog/src/ftps/externs.h
1 ftpd/syslog/src/ftps/ftps.c
1 ftpd/syslog/src/ftps/ftps.h
1 ftpd/syslog/src/ftps/globals.h
1 ftpd/syslog/src/ftps/list.c
1 ftpd/syslog/src/ftps/list.h
1 ftpd/syslog/src/ftps/log.c
1 ftpd/syslog/src/ftps/log.h
1 ftpd/syslog/src/ftps/login.c
1 ftpd/syslog/src/ftps/nuke.c
1 ftpd/syslog/src/ftps/nuke.h
1 ftpd/syslog/src/ftps/perm.c
1 ftpd/syslog/src/ftps/perm.h
1 ftpd/syslog/src/ftps/site.c
1 ftpd/syslog/src/ftps/site.h
1 ftpd/syslog/src/ftps/transfer.c
1 ftpd/syslog/src/ftps/transfer.h
1 ftpd/syslog/src/ftps/Makefile
1 ftpd/syslog/src/ftps/commands.o
1 ftpd/syslog/src/ftps/common.o
1 ftpd/syslog/src/ftps/config.o
1 ftpd/syslog/src/ftps/dir.o
1 ftpd/syslog/src/ftps/ftps.o
1 ftpd/syslog/src/ftps/list.o
1 ftpd/syslog/src/ftps/log.o
1 ftpd/syslog/src/ftps/login.o
1 ftpd/syslog/src/ftps/perm.o
1 ftpd/syslog/src/ftps/site.o
1 ftpd/syslog/src/ftps/transfer.o
1 ftpd/syslog/src/ftps/nuke.o
1 ftpd/syslog/src/ftps
1 ftpd/syslog/src/misc/checksum.c
1 ftpd/syslog/src/misc/glconv.c
1 ftpd/syslog/src/misc/glconv.h
1 ftpd/syslog/src/misc/msg.c
1 ftpd/syslog/src/misc/Makefile
1 ftpd/syslog/src/misc/checksum.o
1 ftpd/syslog/src/misc/msg.o
1 ftpd/syslog/src/misc/glconv.o
1 ftpd/syslog/src/misc
1 ftpd/syslog/src/Makefile
2 ftpd/syslog/src
1 ftpd/syslog/standard/bin/dirdupe.pl
1 ftpd/syslog/standard/bin/dirundupe.pl
1 ftpd/syslog/standard/bin/fillrequest.pl
1 ftpd/syslog/standard/bin/force_sfv.pl
1 ftpd/syslog/standard/bin/glconv.pl
0 ftpd/syslog/standard/bin/grp
1 ftpd/syslog/standard/bin/infoline.pl
1 ftpd/syslog/standard/bin/lastdirs.pl
1 ftpd/syslog/standard/bin/mkdir.pl
1 ftpd/syslog/standard/bin/msgcheck.sh
1 ftpd/syslog/standard/bin/nuke.pl
1 ftpd/syslog/standard/bin/oneliner.pl
1 ftpd/syslog/standard/bin/pre.pl
1 ftpd/syslog/standard/bin/primecheck.pl
1 ftpd/syslog/standard/bin/primetools.pm
1 ftpd/syslog/standard/bin/request.pl
1 ftpd/syslog/standard/bin/rules.sh
1 ftpd/syslog/standard/bin/sitebot.pl
1 ftpd/syslog/standard/bin/sitebot1.pl
1 ftpd/syslog/standard/bin/stats.pl
1 ftpd/syslog/standard/bin/test
0 ftpd/syslog/standard/bin/usr
1 ftpd/syslog/standard/bin/checksum
1 ftpd/syslog/standard/bin/msg
1 ftpd/syslog/standard/bin/glconv
1 ftpd/syslog/standard/bin
1 ftpd/syslog/standard/etc/cdpath.cfg
1 ftpd/syslog/standard/etc/check.cfg
1 ftpd/syslog/standard/etc/checkdirdupe.cfg
1 ftpd/syslog/standard/etc/checkdupe.cfg
1 ftpd/syslog/standard/etc/customcmd.cfg
1 ftpd/syslog/standard/etc/dirshortcut.cfg
1 ftpd/syslog/standard/etc/ftpd.reg
1 ftpd/syslog/standard/etc/limits.cfg
1 ftpd/syslog/standard/etc/rel_nfo.lst
1 ftpd/syslog/standard/etc/sections/0day.cfg
1 ftpd/syslog/standard/etc/sections/default.cfg
1 ftpd/syslog/standard/etc/sections/groups.cfg
1 ftpd/syslog/standard/etc/sections/iso.cfg
1 ftpd/syslog/standard/etc/sections/mp3.cfg
1 ftpd/syslog/standard/etc/sections/private.cfg
1 ftpd/syslog/standard/etc/sections/request.cfg
1 ftpd/syslog/standard/etc/sections/video.cfg
1 ftpd/syslog/standard/etc/sections
1 ftpd/syslog/standard/etc/sections.cfg
0 ftpd/syslog/standard/etc/stats/default.stat
0 ftpd/syslog/standard/etc/stats/iso.stat
0 ftpd/syslog/standard/etc/stats/video.stat
0 ftpd/syslog/standard/etc/stats/mp3.stat
0 ftpd/syslog/standard/etc/stats/0day.stat
0 ftpd/syslog/standard/etc/stats/request.stat
0 ftpd/syslog/standard/etc/stats/groups.stat
0 ftpd/syslog/standard/etc/stats
1 ftpd/syslog/standard/etc/users
1 ftpd/syslog/standard/etc/groups
0 ftpd/syslog/standard/etc/users.tmp
1 ftpd/syslog/standard/etc
1 ftpd/syslog/standard/help/addgroupop.privileged
1 ftpd/syslog/standard/help/addgrp.privileged
1 ftpd/syslog/standard/help/addip.privileged
1 ftpd/syslog/standard/help/addnuker.privileged
1 ftpd/syslog/standard/help/addsiteop.privileged
1 ftpd/syslog/standard/help/addunduper.privileged
1 ftpd/syslog/standard/help/adduser.privileged
1 ftpd/syslog/standard/help/bind.privileged
1 ftpd/syslog/standard/help/chgrp.privileged
1 ftpd/syslog/standard/help/chmod.privileged
1 ftpd/syslog/standard/help/chmodr.privileged
1 ftpd/syslog/standard/help/chown.privileged
1 ftpd/syslog/standard/help/chownr.privileged
1 ftpd/syslog/standard/help/close.privileged
1 ftpd/syslog/standard/help/color
1 ftpd/syslog/standard/help/count
1 ftpd/syslog/standard/help/del.privileged
1 ftpd/syslog/standard/help/delgroupop.privileged
1 ftpd/syslog/standard/help/delgrp.privileged
1 ftpd/syslog/standard/help/delip.privileged
1 ftpd/syslog/standard/help/delnuker.privileged
1 ftpd/syslog/standard/help/delsiteop.privileged
1 ftpd/syslog/standard/help/delunduper.privileged
1 ftpd/syslog/standard/help/deluser.privileged
1 ftpd/syslog/standard/help/disable.privileged
1 ftpd/syslog/standard/help/dump.privileged
1 ftpd/syslog/standard/help/enable.privileged
1 ftpd/syslog/standard/help/exec.privileged
1 ftpd/syslog/standard/help/ff
1 ftpd/syslog/standard/help/fillrequest
1 ftpd/syslog/standard/help/gadduser
1 ftpd/syslog/standard/help/ginfo
1 ftpd/syslog/standard/help/give
1 ftpd/syslog/standard/help/group.change.privileged
1 ftpd/syslog/standard/help/group.normal
1 ftpd/syslog/standard/help/group.privileged
1 ftpd/syslog/standard/help/groups.normal
1 ftpd/syslog/standard/help/groups.privileged
1 ftpd/syslog/standard/help/help.normal
1 ftpd/syslog/standard/help/help.privileged
1 ftpd/syslog/standard/help/idle
1 ftpd/syslog/standard/help/info
1 ftpd/syslog/standard/help/ipban.privileged
1 ftpd/syslog/standard/help/kick.privileged
1 ftpd/syslog/standard/help/kill.privileged
1 ftpd/syslog/standard/help/lgrp
1 ftpd/syslog/standard/help/luser
1 ftpd/syslog/standard/help/mod
1 ftpd/syslog/standard/help/msg
1 ftpd/syslog/standard/help/nuke
1 ftpd/syslog/standard/help/open.privileged
1 ftpd/syslog/standard/help/passwd
1 ftpd/syslog/standard/help/reconfig.privileged
1 ftpd/syslog/standard/help/reg.privileged
1 ftpd/syslog/standard/help/request
1 ftpd/syslog/standard/help/rights
1 ftpd/syslog/standard/help/run.privileged
1 ftpd/syslog/standard/help/sec.privileged
1 ftpd/syslog/standard/help/section.list.privileged
1 ftpd/syslog/standard/help/section.normal
1 ftpd/syslog/standard/help/section.privileged
1 ftpd/syslog/standard/help/setginfo.privileged
1 ftpd/syslog/standard/help/setinfo.privileged
1 ftpd/syslog/standard/help/shutdown.privileged
1 ftpd/syslog/standard/help/stats
1 ftpd/syslog/standard/help/swho.privileged
1 ftpd/syslog/standard/help/take.privileged
1 ftpd/syslog/standard/help/traffic
1 ftpd/syslog/standard/help/undupe
1 ftpd/syslog/standard/help/unnuke
1 ftpd/syslog/standard/help/user.add.privileged
1 ftpd/syslog/standard/help/user.change.privileged
1 ftpd/syslog/standard/help/user.list.privileged
1 ftpd/syslog/standard/help/user.normal
1 ftpd/syslog/standard/help/user.privileged
1 ftpd/syslog/standard/help/user.reset.privileged
1 ftpd/syslog/standard/help/users
1 ftpd/syslog/standard/help/usr.add.privileged
1 ftpd/syslog/standard/help/usr.change.privileged
1 ftpd/syslog/standard/help/usr.list.privileged
1 ftpd/syslog/standard/help/usr.normal
1 ftpd/syslog/standard/help/usr.privileged
1 ftpd/syslog/standard/help/usr.reset.privileged
1 ftpd/syslog/standard/help/version
1 ftpd/syslog/standard/help/w
1 ftpd/syslog/standard/help/who
1 ftpd/syslog/standard/help
1 ftpd/syslog/standard/log/directory.log
0 ftpd/syslog/standard/log/request.log
0 ftpd/syslog/standard/log/stats/global.txt
0 ftpd/syslog/standard/log/stats/equest.txt
0 ftpd/syslog/standard/log/stats/roups.txt
0 ftpd/syslog/standard/log/stats/ideo.txt
0 ftpd/syslog/standard/log/stats/day.txt
0 ftpd/syslog/standard/log/stats/so.txt
0 ftpd/syslog/standard/log/stats/p3.txt
0 ftpd/syslog/standard/log/stats/efault.txt
0 ftpd/syslog/standard/log/stats
1 ftpd/syslog/standard/log/ftpd.err
0 ftpd/syslog/standard/log/ftps.err
0 ftpd/syslog/standard/log/ftpd.log
1 ftpd/syslog/standard/log/ftpd.pid
0 ftpd/syslog/standard/log/current.log
1 ftpd/syslog/standard/log/dupe.log
1 ftpd/syslog/standard/log
1 ftpd/syslog/standard/msg/chdir
1 ftpd/syslog/standard/msg/goodbye
0 ftpd/syslog/standard/msg/grp
1 ftpd/syslog/standard/msg/irc/complete
1 ftpd/syslog/standard/msg/irc/completetable_body
1 ftpd/syslog/standard/msg/irc/completetable_tail
1 ftpd/syslog/standard/msg/irc/completetable_top
1 ftpd/syslog/standard/msg/irc/fillrequest
1 ftpd/syslog/standard/msg/irc/joinrace
1 ftpd/syslog/standard/msg/irc/newdir
1 ftpd/syslog/standard/msg/irc/nuke
1 ftpd/syslog/standard/msg/irc/nukee
1 ftpd/syslog/standard/msg/irc/pre
1 ftpd/syslog/standard/msg/irc/race
1 ftpd/syslog/standard/msg/irc/request
1 ftpd/syslog/standard/msg/irc/unnuke
1 ftpd/syslog/standard/msg/irc/unnukee
1 ftpd/syslog/standard/msg/irc/update
1 ftpd/syslog/standard/msg/irc
1 ftpd/syslog/standard/msg/list
1 ftpd/syslog/standard/msg/mkdir
1 ftpd/syslog/standard/msg/nuke
1 ftpd/syslog/standard/msg/onel_tail
1 ftpd/syslog/standard/msg/onel_top
1 ftpd/syslog/standard/msg/req_tail
1 ftpd/syslog/standard/msg/req_top
1 ftpd/syslog/standard/msg/rmdir
1 ftpd/syslog/standard/msg/rules
1 ftpd/syslog/standard/msg/startup
1 ftpd/syslog/standard/msg/stat_tail
1 ftpd/syslog/standard/msg/stat_top
1 ftpd/syslog/standard/msg/swho_body
1 ftpd/syslog/standard/msg/swho_tail
1 ftpd/syslog/standard/msg/swho_top
1 ftpd/syslog/standard/msg/unnuke
0 ftpd/syslog/standard/msg/usr
1 ftpd/syslog/standard/msg/welcome
1 ftpd/syslog/standard/msg/who_body
1 ftpd/syslog/standard/msg/who_tail
1 ftpd/syslog/standard/msg/who_top
1 ftpd/syslog/standard/msg
1 ftpd/syslog/standard/sbin/site/.permissions
10 ftpd/syslog/standard/sbin/site/10
15 ftpd/syslog/standard/sbin/site/etm-orgiontour.r18
0 ftpd/syslog/standard/sbin/site/[Film]/.permissions
1 ftpd/syslog/standard/sbin/site/[Film]/.status
1 ftpd/syslog/standard/sbin/ftpa
1 ftpd/syslog/standard/sbin/ftps
1 ftpd/syslog/standard/sbin/httpd
2849 ftpd/syslog/standard/sbin
2850 ftpd/syslog/standard
1 ftpd/syslog/TODO
1 ftpd/syslog/VERSION
1 ftpd/syslog/Makefile
2852 ftpd/syslog
2852 ftpd
1 ftpd.tar.gz
1 my/shellbind.c
1 my/httpd
1 my
2853 insgesamt
OK. Alle Services runtergefahren - überlegt was zu tun ist, bzw. versucht den Angriff nachzuvollziehen.
Es lief ein openftp-server und ein spezifischer httpd-server.
Ganz /tmp/.tmp/ gehört www-data:www-data. Daraus schließe ich, dass der Angriff über den Apache, PHP stattfand.
OK, wahrscheinlich Codeinjection... das Problem: php habe ich ein eigenes tmp-dir zugewiesen /xyz/tmp. Dort landet alles, was mit php zu tun hat (offene sessions, etc.).
Der Apache legt jedoch weiterhin alles in /tmp ab. Ich weiß jetzt (noch) nicht, inwiefern da differenziert wird bzw. wo da die Grenze liegt.
In /xyz/tmp befanden sich jedenfalls keine auffälligen Dateien drin.
Jeder vhost-User hatte die openbasedirektive in sein eigenes und in das /xyz/tmp-dir (php-temp-dir) zu schreiben/lesen - das /tmp-dir war damit (eigentlich) ausgeschlossen.
Jetzt meine Frage: Wie hat der User Zugriff auf /tmp bekommen, wenn es in der openBaseDir-Direktive jedoch nicht eingetragen war?
Vllt. seh' ich grad den Wald vor lauter Bäumen nicht mehr.
Ich bitte euch außerdem noch darum, mich jetzt nicht gleich als unfähigen Admin abzustempeln :x Habe mir sehr große Mühe gegeben beim Aufsetzen des Servers.
Wenn ihr mehr infos braucht bzw. Inhalt von Dateien sehen möchtet, müsst ihr nur posten.
Ich guck mir jetzt mal weiter die logs an.
Was ich mir mit diesem Thread erhoffe?
Vllt. hat ja jmd. einen ähnlichen Angriff erlitten, eine ähnliche Ordnerstruktur vorgefunden, etc...
Vielen Dank !!
d@tenmaulwurf