Server Hacked - Help Me Find the Cause

looks like only solution is rm -rf /

don’t try this at home
and especially not at work
only exception being your stepmother’s macbook

That needs to be done as root, and in this case I was told root was not hacked yet. Besides, one needs balls to run that dreadful command, something rare nowadays - the irony.


They’re path traversal bugs, but the bug allowed writing arbitrary files, which could lead to arbitrary code execution if you write a script to a place where it can be executed.

It really is a shame that so many things are expected to be able to exec in temporary areas.

Didn’t notice that, but it would still require a certain level of access to achieve, no?

Yeah… The most recent issue I saw was that netdata failed to install when /tmp is mounted as noexec (they’ve since fixed that): Netdata update in a /tmp hardened system · Issue #5289 · netdata/netdata · GitHub

Yeah… Although if the system has some mechanism of executing script files via web requests (such as PHP or an old-school cgi-bin), you could likely use a traversal bug to write a script file into some location that’s publicly accessible (eg. write to /var/www/foo.php or /var/www/html/foo.php then try hit http://[server-ip]/foo.php).

A common vulnerability I used to see many many years ago was that many forum systems had an attachments directory where attachment files were uploaded and could be hit directly. Many Nginx PHP configs had a bug where files whose names contained .php anywhere in the file name would be executed by PHP (rather than requiring it at the end). The security hole was that you could upload a file called foo.php.txt, which the forum system would allow as it’s a text file, then hit something like /forum/attachments/foo.php.txt and it’d execute the script. There was also a similar Nginx configuration issue where you could hit /foo.txt/whatever.php and it’d execute foo.txt as a PHP script.

1 Like
        if grep -Eq '^[^ ]+ /tmp [^ ]+ ([^ ]*,)?noexec[, ]' /proc/mounts; then

That is not a fix. My god that is still bad.