tmp directory setting
Posted by: meror (---.client.rionet.cz)
Date: October 13, 2020 03:41PM

Hello,
I am pretty happy how my wamp is running now, but still feeling I need to set something better - secure better if possible.

I started to get messages from Defender that there were multiple attempts to attack with trojans and backdoors and that the threat was removed.

All the time same scenario - somehow the bad guys are trying to upload files into wamp tmp dir but I did not figure out how from all the logs I am collecting.

As an example:
wamp\tmp\phpE865.tmp
wamp\tmp\php96AA.tmp
wamp\tmp\phpF0EC.tmp->[EmbeddedEnc]
wamp\tmp\php9EA3.tmp

and many others...

First what came into my mind that these files are successfully uploaded into wamp tmp through some virtual host running on server.
But although I am logging many things I was unable to find how the file was uploaded.
And I believe make wamp tmp read-only is not an option as wamp need rw access there.

Please any suggestion how wamp can tell me how these bad files were uploaded to tmp and possible to find a way how to properly restrict this but not affect running virtual hosts from their proper run?

Thank you.

Options: ReplyQuote
Re: tmp directory setting
Posted by: Otomatic (Moderator)
Date: October 13, 2020 04:06PM

Hi,

wamp(64)\tmp is the folder dedicated to several "things":
- PHP session.save_path
- PHP upload_tmp_dir
- PHP soap.wsdl_cache_dir
- PHP xdebug.profiler_output_dir

- MySQL secure_file_priv
- MySQL tmpdir

So there can be many files of all kinds in this folder and they are not necessarily "bad files".
What makes you say they are "bad files"?

Access to this folder, which is part of the server, is basically forbidden by the directive in the httpd.conf file.
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

------------------------------------------------------------------------------------------------------------
Wampserver 3.2.4 32 bit - Apache 2.4.46a - PHP 8.0.0…5.6.40 - MySQL 5.7.32 - MariaDB 10.5.8
Wampserver 3.2.4 64 bit - Apache 2.4.46a - PHP 8.0.0…5.6.40 - MySQL 5.7.32/8.0.22 - MariaDB 10.5.8
PhPMyadmin 5.0.4 - MysqlDumper 1.24.5
on W10 and W7 Pro 64 bit
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons
« Ce n'est pas parce qu'ils sont nombreux à avoir tort, qu'ils ont forcément raison. Coluche »
« It's not because they are many to be wrong, they are necessarily right. Coluche »

Options: ReplyQuote
Re: tmp directory setting
Posted by: meror (---.client.rionet.cz)
Date: October 13, 2020 09:46PM

Thank you for your answer.

httpd.conf directive set as you stated.

So maybe allowed by some virtual host as there are running couple of wordpress instances.


In regards to bad files - as I stated, this was discovered by MS Defender and those files automatically removed.

Defender report example:

Status: Removed
Threat found: Backdoor:Win32/Dirtelti!ml
Severity: High
Category: Backdoor
Related files:
...\wamp\tmp\php9EA3.tmp

Similar for other files as well - Trojans, Backdoors, Malware etc...

Trojantongue sticking out smileyHP/Obfuse!MSR
Trojanconfused smileycript/Wacatac.B!ml

all of them via uploaded phpxxx.tmp files into wamp tmp folder.

In my opinion, somebody is abusing some security hole somewhere in wamp or wordpress to upload infected file to wamp tmp folder, fortunately Defender realtime control does not allow any more actions I hope.

My goal is to make sure such files cannot be uploaded to wamp tmp / or in other words nobody could anyhow force php/apache to upload such file. I am sorry if using bad terminology.

Thank you.

Options: ReplyQuote
Re: tmp directory setting
Posted by: Otomatic (Moderator)
Date: October 14, 2020 12:22PM

Hi,

À In my humble opinion, it is in WordPress that you should prohibit file uploads, except to duly authorized "members".

You can also, in the phpForApache.ini file of the PHP web version used, change the folder defined by upload_tmp_dir.

------------------------------------------------------------------------------------------------------------
Wampserver 3.2.4 32 bit - Apache 2.4.46a - PHP 8.0.0…5.6.40 - MySQL 5.7.32 - MariaDB 10.5.8
Wampserver 3.2.4 64 bit - Apache 2.4.46a - PHP 8.0.0…5.6.40 - MySQL 5.7.32/8.0.22 - MariaDB 10.5.8
PhPMyadmin 5.0.4 - MysqlDumper 1.24.5
on W10 and W7 Pro 64 bit
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons
« Ce n'est pas parce qu'ils sont nombreux à avoir tort, qu'ils ont forcément raison. Coluche »
« It's not because they are many to be wrong, they are necessarily right. Coluche »

Options: ReplyQuote
Re: tmp directory setting
Posted by: meror (---.client.rionet.cz)
Date: October 19, 2020 12:27PM

Thank you for your reply.
I tried some tweaks in Wordpress, hopefully it will be helpful and not destructive to the pages.

Options: ReplyQuote


Sorry, only registered users may post in this forum.