Mailing List Archive

Unknown: file created in the system's temporary directory
Hi Everyone,

I'm seeing some funny business in our log files.

[Thu Apr 08 10:52:20.225624 2021] [php7:notice] [pid 1823] [client
71.179.5.32:29418] PHP Notice: Unknown: file created in the system's
temporary directory in Unknown on line 0, referer:
https://www.cryptopp.com/w/index.php?title=Linux&action=edit

We override the upload directory for Apache, so nothing should be
written to the system's temporary directory:

# grep -IR 'temp_dir' /etc
/etc/php/7.4/cli/php.ini:; Defaults to the system default (see sys_get_temp_dir)
/etc/php/7.4/cli/php.ini:;sys_temp_dir = "/tmp"
/etc/php/7.4/apache2/php.ini:; Defaults to the system default (see
sys_get_temp_dir)
/etc/php/7.4/apache2/php.ini:sys_temp_dir = "/var/lib/php/tmp"

And:

# ls -Al /var/lib/php
drwxr-xr-x 3 www-data www-data 4096 Mar 31 17:04 modules
drwx-wx-wt 2 www-data www-data 4096 Mar 27 2020 sessions
drwxr-xr-x 2 www-data www-data 4096 Apr 8 11:37 tmp

And:

# grep base /etc/php/7.4/apache2/conf.d/99-security.ini
open_basedir="/var/www/html/:/var/lib/php/"

We are not sure what is going on. I guess we missed a setting somewhere.

How is the attacker creating files on the system given they are not logged in?

Thanks in advance.

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Unknown: file created in the system's temporary directory [ In reply to ]
Ok
--
Sent from myMail for Android Thursday, 08 April 2021, 03:48PM -04:00 from Jeffrey Walton noloader@gmail.com :

>Hi Everyone,
>
>I'm seeing some funny business in our log files.
>
>[Thu Apr 08 10:52:20.225624 2021] [php7:notice] [pid 1823] [client
>71.179.5.32:29418] PHP Notice: Unknown: file created in the system's
>temporary directory in Unknown on line 0, referer:
>https://www.cryptopp.com/w/index.php?title=Linux&action=edit
>
>We override the upload directory for Apache, so nothing should be
>written to the system's temporary directory:
>
># grep -IR 'temp_dir' /etc
>/etc/php/7.4/cli/php.ini:; Defaults to the system default (see sys_get_temp_dir)
>/etc/php/7.4/cli/php.ini:;sys_temp_dir = "/tmp"
>/etc/php/7.4/apache2/php.ini:; Defaults to the system default (see
>sys_get_temp_dir)
>/etc/php/7.4/apache2/php.ini:sys_temp_dir = "/var/lib/php/tmp"
>
>And:
>
># ls -Al /var/lib/php
>drwxr-xr-x 3 www-data www-data 4096 Mar 31 17:04 modules
>drwx-wx-wt 2 www-data www-data 4096 Mar 27 2020 sessions
>drwxr-xr-x 2 www-data www-data 4096 Apr 8 11:37 tmp
>
>And:
>
># grep base /etc/php/7.4/apache2/conf.d/99-security.ini
>open_basedir="/var/www/html/:/var/lib/php/"
>
>We are not sure what is going on. I guess we missed a setting somewhere.
>
>How is the attacker creating files on the system given they are not logged in?
>
>Thanks in advance.
>
>_______________________________________________
>MediaWiki-l mailing list
>To unsubscribe, go to:
>https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Unknown: file created in the system's temporary directory [ In reply to ]
Second try without the image...

On Thu, Apr 8, 2021 at 3:47 PM Jeffrey Walton <noloader@gmail.com> wrote:
>
> Hi Everyone,
>
> I'm seeing some funny business in our log files.
>
> [Thu Apr 08 10:52:20.225624 2021] [php7:notice] [pid 1823] [client
> 71.179.5.32:29418] PHP Notice: Unknown: file created in the system's
> temporary directory in Unknown on line 0, referer:
> https://www.cryptopp.com/w/index.php?title=Linux&action=edit
>
> We override the upload directory for Apache, so nothing should be
> written to the system's temporary directory:
>
> # grep -IR 'temp_dir' /etc
> /etc/php/7.4/cli/php.ini:; Defaults to the system default (see sys_get_temp_dir)
> /etc/php/7.4/cli/php.ini:;sys_temp_dir = "/tmp"
> /etc/php/7.4/apache2/php.ini:; Defaults to the system default (see
> sys_get_temp_dir)
> /etc/php/7.4/apache2/php.ini:sys_temp_dir = "/var/lib/php/tmp"
>
> And:
>
> # ls -Al /var/lib/php
> drwxr-xr-x 3 www-data www-data 4096 Mar 31 17:04 modules
> drwx-wx-wt 2 www-data www-data 4096 Mar 27 2020 sessions
> drwxr-xr-x 2 www-data www-data 4096 Apr 8 11:37 tmp
>
> And:
>
> # grep base /etc/php/7.4/apache2/conf.d/99-security.ini
> open_basedir="/var/www/html/:/var/lib/php/"
>
> We are not sure what is going on. I guess we missed a setting somewhere.
>
> How is the attacker creating files on the system given they are not logged in?
>
> Thanks in advance.

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Unknown: file created in the system's temporary directory [ In reply to ]
On Wed, 2021-04-14 at 05:00 -0400, Jeffrey Walton wrote:
> Second try without the image...

Is there any difference to your original email from March 8th?
Second try of what exactly?

Cheers,
andre
--
Andre Klapper (he/him) | Bugwrangler / Developer Advocate
https://blogs.gnome.org/aklapper/


_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Re: Unknown: file created in the system's temporary directory [ In reply to ]
I am not sure this necessarily refers to the upload temp directory.
Anyway, did you look at https://bugs.php.net/bug.php?id=74189 ?
(The port used in that log entry appears to be the one that Gitblit
defaults to, incidentally.)

On Thu, Apr 8, 2021 at 3:48 PM Jeffrey Walton <noloader@gmail.com> wrote:

> Hi Everyone,
>
> I'm seeing some funny business in our log files.
>
> [Thu Apr 08 10:52:20.225624 2021] [php7:notice] [pid 1823] [client
> 71.179.5.32:29418] PHP Notice: Unknown: file created in the system's
> temporary directory in Unknown on line 0, referer:
> https://www.cryptopp.com/w/index.php?title=Linux&action=edit
>
> We override the upload directory for Apache, so nothing should be
> written to the system's temporary directory:
>
> # grep -IR 'temp_dir' /etc
> /etc/php/7.4/cli/php.ini:; Defaults to the system default (see
> sys_get_temp_dir)
> /etc/php/7.4/cli/php.ini:;sys_temp_dir = "/tmp"
> /etc/php/7.4/apache2/php.ini:; Defaults to the system default (see
> sys_get_temp_dir)
> /etc/php/7.4/apache2/php.ini:sys_temp_dir = "/var/lib/php/tmp"
>
> And:
>
> # ls -Al /var/lib/php
> drwxr-xr-x 3 www-data www-data 4096 Mar 31 17:04 modules
> drwx-wx-wt 2 www-data www-data 4096 Mar 27 2020 sessions
> drwxr-xr-x 2 www-data www-data 4096 Apr 8 11:37 tmp
>
> And:
>
> # grep base /etc/php/7.4/apache2/conf.d/99-security.ini
> open_basedir="/var/www/html/:/var/lib/php/"
>
> We are not sure what is going on. I guess we missed a setting somewhere.
>
> How is the attacker creating files on the system given they are not logged
> in?
>
> Thanks in advance.
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
Re: Unknown: file created in the system's temporary directory [ In reply to ]
On Wed, Apr 14, 2021 at 6:24 PM Andre Klapper <aklapper@wikimedia.org> wrote:
>
> On Wed, 2021-04-14 at 05:00 -0400, Jeffrey Walton wrote:
> > Second try without the image...
>
> Is there any difference to your original email from March 8th?
> Second try of what exactly?

Yes.

The original email was blocked because it included an image. The
second try removed the image.

Jeff

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l