I'm seeing a few of these messages in the Apache error log (/var/log/httpd/error_log
) at the rate of about one per half hour, often in small batches:
(process:23210): libgnomevfs-WARNING **: Unable to create ~/.gnome2 directory: Permission denied
It's not a problem but it's ugly and clouds the error log from useful errors.
Notes:
- I don't know the url that triggers these warnings. If I did, I'd be most of the way to solving why they occur. I guess they are triggered by a crawler guessing at a particular URL which triggers the error.
- Our Apache uses the "
nobody
" user. The "nobody" user is an unprivileged user. This means that the user doesn't own anything, doesn't have a home folder and doesn't have execute permissions to anything.
Does anyone know what causes this error?
> php -v
PHP 5.3.10 (cli) (built: Feb 2 2012 17:34:38)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
with Suhosin v0.9.33, Copyright (c) 2007-2012, by SektionEins GmbH
> httpd -v
Server version: Apache/2.2.3
Server built: Oct 6 2011 12:11:58
> cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
Somebody is trying to exploit a PHP weakness to execute system commands.
The results of these will end up in the apache error log, since that is where stderr points for the PHP processes.
If you see them occuring live(-ish), investigate the named PID and see what it is; though it's probably apache, if you're running the prefork MPM you can see precisely which process by configuring mod_status.
Also check in /tmp for any new, suspicious, or plain weird files.
Oh, and fix the insecure PHP script, obviously.
An old question, but as I saw an entry on one of our boxes, I guess some people still have the problem too.
No exploit, no hacker. The PHP code might probably call a conversion function (e.g.
/usr/bin convert
from ImageMagick) with thelibrsvg
library compiled in.Recompile ImageMagick:
Maybe you have something running in cron as that user every 30 minutes or so?