From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 15:32:54 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7658A16A41F for ; Thu, 11 Aug 2005 15:32:54 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from imf19aec.mail.bellsouth.net (imf19aec.mail.bellsouth.net [205.152.59.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id D448043D46 for ; Thu, 11 Aug 2005 15:32:53 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from ibm60aec.bellsouth.net ([68.219.111.196]) by imf19aec.mail.bellsouth.net with ESMTP id <20050811153253.FZYS28108.imf19aec.mail.bellsouth.net@ibm60aec.bellsouth.net> for ; Thu, 11 Aug 2005 11:32:53 -0400 Received: from [192.168.1.4] (really [68.219.111.196]) by ibm60aec.bellsouth.net with ESMTP id <20050811153249.ERHS3347.ibm60aec.bellsouth.net@[192.168.1.4]> for ; Thu, 11 Aug 2005 11:32:49 -0400 Mime-Version: 1.0 (Apple Message framework v733) In-Reply-To: <20050811150434.GD26471@pcwin002.win.tue.nl> References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> <1123772050.42fb669291ae3@webmail.boxke.be> <20050811150434.GD26471@pcwin002.win.tue.nl> Message-Id: <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com> From: Ken Hawkins Date: Thu, 11 Aug 2005 11:32:44 -0400 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.733) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 15:32:54 -0000 The box is secure that much i have found out. the only problems have been with this email spamming. nothing in the tmp dirs out of the ordinary and no missing files running scripts etc. I have changed everyone passwords on the box. *'d the www password, ensured there is no shell with the www user, etc. i am in the process of upgrading the ports now and there are problems (of course). the ports seem to have been mangled as the listing in / var/db/ports does not match what i KNOW is running on the box. The person i have inherited this from manually deleted from the /var/db/ ports to get some of the applications to re-install! gotta love that! well here i come port fix hell! This is a production box and can't be taken off line as of this moment so i am going to have to attempt on the fly fixing / upgrading of the ports. i would love to wipe it but it is just not a possibility right now. thanks for all your help and insight. even those of you who tried to tell me I was lost... :) ken; Ken Hawkins Product Manager/Software Development Broadjam Inc. 313 W. Beltline Hwy, Suite 147 Madison, WI 53713 P: 404-323-7493 F: 608-273-3635 W: www.broadjam.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Broadjam Web Hosting for Musicians Now featuring links, guestbook, news page and more customization. Only at www.broadjam.com/hosting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Aug 11, 2005, at 11:04 AM, Stijn Hoop wrote: > On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy@inet-solutions.be > wrote: > >> If the box in question was local secure, you don't have to worry >> that much. >> > > Correct of course, but seeing as the OP admitted to not knowing a > lot about > the administration of this machine, I don't think local security > was very > high. > > >> If it's a long time since you've updated your base, are sloppy >> with passwords >> on the box in question, haven't updated your daemons/setuid >> packages in weeks, >> then the box should be concidered a total loss. >> >> Just think in terms as "what are the possible things I could do if >> my UID were >> 'www'" >> > > There might be some less obvious things, especially if the base OS is > as far behind as the phpBB installation. > > >> I for example have webservers running in chroot, on a partition >> that is >> nosuid, and starred out password for the user 'www'. The thing you >> describing happens sometimes because users do not update there >> phpbb's >> either. I'm not affraid since the kiddo would have the same access >> than a >> customer, which I cannot trust either. If you don't know the box >> IS secure, >> it isn't, there is a lot of work involved in keeping things like this >> "under controle". >> > > Totally true, and good advice for setting up access for customers / > etc. > > --Stijn > > -- > Coughlin's law: never show surprise, never lose your cool. > -- Cocktail >