Date: Thu, 11 Aug 2005 11:32:44 -0400 From: Ken Hawkins <ken@rosewoodblues.com> To: freebsd-security@freebsd.org Subject: Re: newbie with www user security problem Message-ID: <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com> In-Reply-To: <20050811150434.GD26471@pcwin002.win.tue.nl> References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> <1123772050.42fb669291ae3@webmail.boxke.be> <20050811150434.GD26471@pcwin002.win.tue.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
The box is secure that much i have found out. the only problems have been with this email spamming. nothing in the tmp dirs out of the ordinary and no missing files running scripts etc. I have changed everyone passwords on the box. *'d the www password, ensured there is no shell with the www user, etc. i am in the process of upgrading the ports now and there are problems (of course). the ports seem to have been mangled as the listing in / var/db/ports does not match what i KNOW is running on the box. The person i have inherited this from manually deleted from the /var/db/ ports to get some of the applications to re-install! gotta love that! well here i come port fix hell! This is a production box and can't be taken off line as of this moment so i am going to have to attempt on the fly fixing / upgrading of the ports. i would love to wipe it but it is just not a possibility right now. thanks for all your help and insight. even those of you who tried to tell me I was lost... :) ken; Ken Hawkins Product Manager/Software Development Broadjam Inc. 313 W. Beltline Hwy, Suite 147 Madison, WI 53713 P: 404-323-7493 F: 608-273-3635 W: www.broadjam.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Broadjam Web Hosting for Musicians Now featuring links, guestbook, news page and more customization. Only at www.broadjam.com/hosting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Aug 11, 2005, at 11:04 AM, Stijn Hoop wrote: > On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy@inet-solutions.be > wrote: > >> If the box in question was local secure, you don't have to worry >> that much. >> > > Correct of course, but seeing as the OP admitted to not knowing a > lot about > the administration of this machine, I don't think local security > was very > high. > > >> If it's a long time since you've updated your base, are sloppy >> with passwords >> on the box in question, haven't updated your daemons/setuid >> packages in weeks, >> then the box should be concidered a total loss. >> >> Just think in terms as "what are the possible things I could do if >> my UID were >> 'www'" >> > > There might be some less obvious things, especially if the base OS is > as far behind as the phpBB installation. > > >> I for example have webservers running in chroot, on a partition >> that is >> nosuid, and starred out password for the user 'www'. The thing you >> describing happens sometimes because users do not update there >> phpbb's >> either. I'm not affraid since the kiddo would have the same access >> than a >> customer, which I cannot trust either. If you don't know the box >> IS secure, >> it isn't, there is a lot of work involved in keeping things like this >> "under controle". >> > > Totally true, and good advice for setting up access for customers / > etc. > > --Stijn > > -- > Coughlin's law: never show surprise, never lose your cool. > -- Cocktail >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32C41BA6-A923-4A01-B332-8B73E39561B1>