...in addition to what's been said already, and before you go off hunting for file permissions it would be good to create an overview of things to do.
Quote:
|
Originally Posted by rogerdv
First of all i have to explain that this is not my server. Im just trying to fix a setup I didnt installed of configured,
|
It is good that you are taking responsability for correcting mistakes. This not being your server doesn't require any apologies, in fact it can be an advantage because you can look at things more objectively. You should choose to make an effort in being as complete as possible, because more than chmodding is needed and you should perform tasks in as short a timeframe as possible. In perparation make sure you
- have the right tools at your disposal and
- keep a clear eye on the goals.
You should choose to
- keep a checklist and log of tasks you perform,
- locate and make backs whenever necessary and
- have an overview of things to mitigate and problems to correct and a plan to work with.
Also please list what tasks you have performed already when you reply. This enables us to help you better.
* Since this is a commercial hosting platform you have to make clear to yourself that while you perform those tasks
you can not serve two masters because as long as the current situation is allowed to exist the machine remains susceptible to abuse.
* Use 'screen' to enable yourself to run multiple tasks in different virtual terminal windows (and do enable logging with CTRL-A, H).
The first things to do would be to make sure the foundation you work on is trustworthy and mitigate:
0. verify the system state ('rpm -Vva 2>&1| tee /root/rpmva.log') and review the log,
1. do not log in as root but have a suitable unprivileged account to SSH into and use public key authentication,
2. make sure you can use sudo to perform the necessary system maintenance, then
3. (enumerate and) ensure that only authorized users have access to the system itself (passwd, group, shadow, last, lastb, lastlog, w, who or run GNU Tiger or Lsat),
4. mitigate the situation by disallowing any clients to access the host as unauthorized or unauthorized user (vipw),
5. mitigate the situation by denying access to publicly accessable services (/etc/hosts.{allow,deny}, firewall),
6. check the last two tasks actually result in denied access (ps, lsof, iptables, netstat, last, lastb, lastlog, w, who).
Procede by taking stock of the situation and investigating:
- review the /etc/syslog.conf for logging options, then review syslog and any daemon-specific logs (visual inspection, logwatch, mailbox),
- enumerate (publicly accessable) services and who has access to those,
- review any user homes contents,
- from running 'rpm -Vva',
- install and run GNU Tiger, chkrootkit and rootkit hunter and review the logs (general system health, not rootkits),
- unpack the textfile from the joomla-file-diagnostics_1.0.15.zip and use those hashes to verify files,
- review the 8 hosts your technical support marked as having suspicious files.
When this is complete you should restore default system file permissions using 'rpm --set-perms' and chmod back any Docroot or UserDir dirs and files.
Please be as complete and verbose in your answers as possible and if anything is unclear please ask before acting.
And please do check back often as so this situation doesn't drag on for days.
* Anyone please correct me if I forgot to address anything in this
assessment phase.
