LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-23-2007, 10:43 AM   #31
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600

So have we hit a bit of a dead end? Did you get my "PM"
My first reply followed your email within aprox one hour IIRC and I posted my preliminary this morning. Basically it supports the suggestion PHP "include" is the culprit like you posted round about post #25.


I want to wipe the system either tomorrow or Sunday. Any further info I can get off it before I do?
No, not really IMHO. Well, OK, a tarball of the cruft found in your docroot wouldn't hurt :-]


Really want to avoid making the same mistake I obviously made this time so as to avoid the obvious.
That depends on what you want to invest, really. As far as I've seen this box is being utilised as both dektop and server. Based on risk, if you have the HW, that would be the first split I'd make: webserver in the DMZ, workstation in the LAN.

But let's work out the "plan" in a new thread, shall we?
I think it's appropriate in every aspect.
 
Old 02-23-2007, 04:01 PM   #32
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by unSpawn
So have we hit a bit of a dead end? Did you get my "PM"
My first reply followed your email within aprox one hour IIRC and I posted my preliminary this morning. Basically it supports the suggestion PHP "include" is the culprit like you posted round about post #25.
Oh oops. I turned off postfix through the mayhem and forgot to turn it back on.
So they/them/worm et al used the php include to upload a file to my server ? Didn't know that was possible, how can one avoid this ?


Quote:
Originally Posted by unSpawn
I want to wipe the system either tomorrow or Sunday. Any further info I can get off it before I do?
No, not really IMHO. Well, OK, a tarball of the cruft found in your docroot wouldn't hurt :-]
For sure. I think I have already done it.

Quote:
Originally Posted by unSpawn
Really want to avoid making the same mistake I obviously made this time so as to avoid the obvious.
That depends on what you want to invest, really. As far as I've seen this box is being utilised as both dektop and server. Based on risk, if you have the HW, that would be the first split I'd make: webserver in the DMZ, workstation in the LAN.

But let's work out the "plan" in a new thread, shall we?
I think it's appropriate in every aspect.
No, its a server only and its been split in 2 with vmware running an Trixbox on top of it.
I think there maybe files on it (in /home) that indicate a Desktop environment from when I first set it up many years ago and used a GUI with Mandrake 9.1, I think. But no its not used as a desktop. It doesnt have X.

I think I will follow Marcus's thread on setting up a secure Debian server when I re-install today. I want to chroot apache with my new install.
 
Old 02-23-2007, 08:13 PM   #33
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by unSpawn
1. From your "botnet" strings post: '/usr/locall/apache/bin/httpd -DSSL'; (double L).

Woke up this morning with bloody port 80 used by process 17159 was /sbin/syslogd EEEK!
Did a pcat of the process (see learning new things here ) and then had a little look through it with vi.


Code:
/sbin/syslogd^@
             ,--.     |    o      ^@
        ,-.-.|  |,---.|--- ..  ,  ^@
        | | ||  ||    |    | ><   ^@
        ` ' '`--'`    `---'`'  `
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
PsychoPhobia Backdoor v3 by m0rtix is starting...OK, pid = %ld
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Shell on: 9997      User: %s        UID: %ld
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Name: %s  (Masked in PS! )  v: = %s %s %s

Sort of explains why these process's are not showing where they are really starting, which must be /tmp

I am going to give a LiveCD (Helix) a shot now before I wipe it out.

What do you recommend for the attached storage I have on the system thats not part of the OS ? All through IDE in RAID 1 hard disks.
Just scan them with a few AV's like ClamAV and NOD32 ?
 
Old 02-23-2007, 08:14 PM   #34
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Here is some more info about this exploit. I have only just started reading it.

http://www.geocities.com/hsia_joe/Tutorial.txt
 
Old 02-23-2007, 08:17 PM   #35
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
And this is interesting.
http://www.howtoforge.com/apache_sec...ing_with_nikto
For testing the security of your apache install.

Its apt-getable too.

I have 7 issues with the way my apache is right now.
I am going to chroot and then apply mod_security on my install and then see how Nikto goes with a scan then.
Mod_security tut: http://www.howtoforge.com/apache_mod_security_p2


PS just trying to add info I have discovered for anyone reading this thread later on with the same issues.
 
Old 02-23-2007, 08:35 PM   #36
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Would I be right assuming the krad local kernel exploit to get root would of failed as its a fully updated system ? There wouldn't be any know exploits in the Debian stable kernel right ?
 
Old 02-23-2007, 08:37 PM   #37
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Quote:
Originally Posted by DaveQB
So how the heck did user 33 get created ?

I also found this in the running binary

Code:
www-data^@x^@33:33:www-data^@/var/www^@/bin/false
 
Old 02-24-2007, 08:14 AM   #38
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Woke up this morning with bloody port 80 used by process 17159 was /sbin/syslogd
Well, that's one reason I put emphasis on mitigation before investigation.
A compromised box shouldn't be allowed to interact with any network.


So they/them/worm et al used the php include to upload a file to my server ? Didn't know that was possible, how can one avoid this ?
First thing would be to read up on security in general and then application security. See for instance the LQ FAQ: Security references. Post #6 "Securing networked services" for details on the "AMP" part of LAMP.

Security is a multi-facetted approach and one layer is the basis for the next, so IMHO the first thing would be to make the installation w/o any network-facing and supporting daemons and services like Samba, Apache, MySQL and PHP. You can install those later on. Prepare, configure and harden the box itself in all details after installation (SW scrubbing, updating, backups, auditing facilities including logging and logreporting, user restrictions, network access restrictions). If you skip that layer the rest is a waste of time. For those that can run SELinux or GRSecurity I would recommend it. It may be an investment in time and effort and it does come with a learning curve but it also truely enhances the security posture of the box (if configured, monitored and adjusted right). Install Snort if you can also check out the Bleeding rulesets.

Wrt LAMP find out if Hardened-PHP or Suhosin are a possibility, basic php.ini settings you should apply wrt security and based on for example the OWASP "Top Ten Security Vulnerabilities", "extra" settings like "allow_url_fopen" if the application permits. ( For every ini switch you don't apply the more rigid/strict/fascist settings for, ask yourself if this is because the application doesn't work or if it's something else. If the application doesn't work, ask yourself if you should continue using that application. Some PHP-based apps explicitly note they won't work with for instance "safe-mode=on". If there's no way out then maybe compartmentalise things (virtualisation). ) Next would be configuring Apache and mod_security. Also see http://www.gotroot.com/mod_security+rules and the mod_security rule generator: http://leavesrustle.com/tools/modsecurity/. And yes, the Debian HOWTO by Marcus has most of the details on that.


Would I be right assuming the krad local kernel exploit to get root would of failed as its a fully updated system
Depends on the kernel version but since it's old I'd say yes.


I also found this in the running binary
Finders keepers, eh? :-]
 
Old 02-25-2007, 05:17 AM   #39
DaveQB
Member
 
Registered: Oct 2003
Location: Sydney, Australia.
Distribution: Debian, Ubuntu
Posts: 400

Original Poster
Rep: Reputation: 39
Thanks heaps for all your time and efforts unSpawn. Much appreciated.

I have installed a new clean Debian install, following Marcus' howto. Takes so much long having to read as you install, but its worth it in the end.

I have also found other tut's etc whilst install in my searches. Turned several functions for php, even found apache's mod_security that sounds awesome!

Thanks again and we'll see how I go
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
small home network M$ & Debian dbyy Linux - Networking 5 02-12-2007 01:32 AM
Damn small linux & plugin firefox AleLinuxBSD DamnSmallLinux 2 06-06-2006 01:15 PM
Speech recognition for Linux - backdoor? dtee Linux - General 4 01-01-2005 05:26 PM
Damn Small linux & Grub Nasty Linux - Newbie 3 10-14-2003 04:24 PM
My Backdoor Debian Install ClayOgre Debian 9 06-20-2003 08:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration