Quote:
Originally Posted by SoX|OK
so if I understand everything correct, then my problem was the outdated phpmyadmin.
|
If the logs are regarded as complete then, yes, it's phpMyAdmin. Note that "your problem" is not only running outdated software:
- if you would have installed Logwatch (or equiv.) and read the reports it sends you would have received Apache warnings to respond to,
- if the /phpmyadmin dir was protected (config or .htaccess file) allowing only access from your management IP range no user would have been able to access it,
- if you would have had mod_security rules in place they could have provided additional logging/access restrictions.
So the application might have been vulnerable but restricting access could have prevented a lot.
Quote:
Originally Posted by SoX|OK
Any idea if this is my only failure? Or should we look into something else as well?
|
Some logs go back to 2008 but most logs don't. I did not find logging to suspect attack vectors in other services and neither did I find out how SHV5 got installed
Quote:
Originally Posted by SoX|OK
Normally I check for updates regulaly, I have no clue why phpmyadmin wasn't updated
|
That looks like a good statement to make. But your dpkg and term logs (apt-get) show gaps, at times more than three months between update runs. There's a difference between running Munin's 'apt-get update' plugin to be notified of updates and actually updating things. Focussing on phpMyAdmin we see version 2.9.1.1-7 got updated on 2008/Oct/17 to 2.9.1.1-8, on 2009/Feb/24 to 2.11.8.1-5 and on 2009/Sep/07 to 2.11.8.1-5+lenny1. Version 2.11.8.1-5+lenny1 was patched on 2009/Mar/24 and released on 2009/Jun/25. If you only used apt-get to update software then I could conclude your server management skills are somewhat lacking.
One of the problems with GNU/Linux is that one of its unique selling points (namely it being available free of cost) in some people creates the misconception that once they run a GNU/Linux server they are already a "server administrator", that getting to know the platform intimately (especially for users accustomed to using Operating Systems that are different in architecture and concepts) is unnecessary, and that no investment is needed in terms of knowledge. This misconception is enhanced by resellers (and sought for by users) who provide provide easy access to some system functionality through a web-based "panel", leading to the idea that point-and-click is OK and all one needs, and that if there is no option or no "OK" button for something then that something simply does not exist. Unfortunately that is not the case. One other problem is that some categories of software install too easily to be true. It might run OK and seem to do your bidding, and unless you remain vigilant you will not soon see evidence of the contrary. It is not without reason I renamed PHP to read "
Pretty Horrific Programming". Because of its strenghts a GNU/Linux is coveted by many and because of GNU/Linux being "
the networked operating system" with running it comes the responsability to keep it from harming other network users. Security is not a "fire and forget" one-off but a continuous cycle of monitoring and auditing the system and making adjustments.
I'm not saying that you have done nothing to harden your server, but by not configuring Apache access controls for phpMyAdmin, by not running Logwatch (or not reading logs) and not updating when updates became available you have missed some aspects. These days rootkit compromises have become rather rare. It is unfortunately that you have been hit by it but I hope that you will learn from it. Right now, unless you have more questions, it is time to save your (humanly readable) configuration files (not for reuse but for reference) and backup the daemon and system logs (just in case its needed). Before you have the the server wiped reinstalled from scratch I suggest you create a new thread in this forum, list the software packages that are to be installed that provide access over the network, post (attach) the configs that go with it, propose what you will do in terms of system hardening and ask for securing / hardening tips.
HTH