Date: Tue, 8 Feb 2005 14:20:33 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: Bret Walker <bret-walker@northwestern.edu> Subject: Re: httpd in /tmp - Sound advice sought Message-ID: <20050208202033.GA12119@darkpossum> In-Reply-To: <024801c50e16$7b15e8f0$17336981@medill.northwestern.edu> References: <20050208194503.GA9298@darkpossum> <024801c50e16$7b15e8f0$17336981@medill.northwestern.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [Tue, Feb 08, 2005 at 01:43:36PM -0600] This one time, at band camp, Bret Walker said: > I do read it, but not every day (weekends, especially). > i use logcheck to mail me the messages log every 15 mins =20 > Do you have a way for suspicious activity to be reported to you? > logcheck, and portsentry as well =20 > Also, I'm tarring /usr and am going to run a diff on it compared to a > clean install. > > Bret >=20 > -----Original Message----- > From: Redmond Militante [mailto:r-militante@northwestern.edu]=20 > Sent: Tuesday, February 08, 2005 1:45 PM > To: Bret Walker > Subject: Re: httpd in /tmp - Sound advice sought >=20 >=20 > hi >=20 > [Tue, Feb 08, 2005 at 10:46:19AM -0600] > This one time, at band camp, Bret Walker said: >=20 > > Redmond- > >=20 > > Here is the response I got from the list. > >=20 > > I also found another file - shellbind.c - it's essentially this -=20 > > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html > > (although phpBB has never been installed). > >=20 > > I had register_globals on in PHP for a month+ because a reservation=20 > > system I was using required them. I now know better. We also had php= =20 > > errors set to display for a while as bugs were being worked out. > >=20 > > The owner of this file is www, so it was put in /tmp by the apache=20 > > daemon. I messed the file up trying to tar it, so I can't get a good=20 > > md5. Register globals and php file uploads are both off now. I don't= =20 > > think the system was compromised because anything written to /tmp=20 > > (which is the temp dir php defaults to) could not be executed. > >=20 > > Do you think we're safe to continue as is? > > >=20 > this person is telling you that slapper is nothing to worry about because > it's a linux only virus - but if you didn't put httpd in /tmp then you > should be worried about this situation. >=20 > this is probably your call what you want to do. > =20 > > Also, I would like to talk with you about what preventative measures=20 > > you take with herald. I know you run tripwire, but what else do you=20 > > do on a regular basis? > > >=20 > one thing i do is i read /var/log/messages every day. do you do that? >=20 > =20 > > Bret > >=20 > >=20 > >=20 > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Mark A.=20 > > Garcia > > Sent: Tuesday, February 08, 2005 9:57 AM > > To: Bret Walker > > Cc: freebsd-questions@freebsd.org > > Subject: Re: httpd in /tmp - Sound advice sought > >=20 > >=20 > > Bret Walker wrote: > >=20 > > >Last night, I ran chkrootkit and it gave me a warning about being=20 > > >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL=20 > > >up to version 0.96d or older on Linux systems. I have only run=20 > > >0.97d. The file that set chkrootkit off was httpd which was located=20 > > >in /tmp. /tmp is always mounted rw, noexec. > > > > > >I update my packages (which are installed via ports) any time there=20 > > >is a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl=20 > > >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a=20 > > >couple of weeks, but the only code that required it to be on was in a= =20 > > >.htaccess/SSL password protected directory. > > > > > >Tripwire didn't show anything that I noted as odd. I reexamined the= =20 > > >tripwire logs, which are e-mailed to an account off of the machine=20 > > >immediately after completion, and I don't see anything odd for the=20 > > >3/4 days before or after the date on the file. (I don't scan /tmp) > > > > > >I stupidly deleted the httpd file from /tmp, which was smaller than=20 > > >the actual apache httpd. And I don't back up /tmp. > > > > > >The only info I can find regarding this file being in /tmp pertains=20 > > >to Slapper. Could something have copied a file there? Could I have= =20 > > >done it by mistake at some point - the server's been up ~60 days,=20 > > >plenty of time for me to forget something? > > > > > >This is production box that I very much want to keep up, so I'm=20 > > >seeking some sound advice. > > > > > >Does this box need to be rebuilt? How could a file get written to=20 > > >/tmp, and is it an issue since it couldn't be executed? I run=20 > > >tripwire nightly, and haven't seen anything odd to the best of my=20 > > >recollection. I also check ipfstat -t frequently to see if any odd=20 > > >connections are happening. > > > > > >I appreciate any sound advice on this matter. > > > > > >Thanks, > > >Bret > > > > > > > > Slapper is a linux only virus. You shouldn't have to worry about it=20 > > doing harm on your freebsd machine. Seeing as the binary was in your= =20 > > tmp directory on your system, and that you might have not placed it=20 > > there, this could be a good reason for a host of other things to look= =20 > > into. The httpd binary with 96d<=3D ssl is not a virus itself, just a= =20 > > means to carry out the exploit. The slapper virus is a bunch of=20 > > c-code that is put in your tmp directory and the exploit allows one to= =20 > > compile, chmod, and execute the code, leaving open a backdoor. > >=20 > > chrootkit does scan for the comparable scalper virus which is a=20 > > freebsd cousin to the slapper (in that they attempt to exploit the=20 > > machine via the apache conduit.) > >=20 > > I would think real hard, if you did put the httpd binary in there. If= =20 > > you are sure you didn't, and you are the only one with access to the=20 > > system, then I would be very very worried. Running tripwire and=20 > > chrootkit on a periodic basis should help. Re-installing the os isn't= =20 > > your only solution, but it does give comfort knowing that after a=20 > > reinstall, and locking down the box, no one has a in on your system.=20 > > This could be overboard though. > >=20 > > You also might want to consider enabling the clean_tmp scripts. Next= =20 > > time tar up those suspicious files, a quick forensics on them can do=20 > > wonders (md5sum, timestamps, ownership, permissions.) > >=20 > > Cheers, > > -.mag > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list=20 > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to=20 > > "freebsd-questions-unsubscribe@freebsd.org" >=20 >=20 >=20 > --=20 > Redmond Militante > Software Engineer / Medill School of Journalism > FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 1:30PM > up 1 day, 1:21, 2 users, load averages: 0.00, 0.04, 0.19 --=20 Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 2:15PM up 1 day, 2:06, 2 users, load averages: 0.07, 0.07, 0.13 --UugvWAfsgieZRqgk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFCCR8Q7g+NJl/fSB0RAlWtAKCiTe/yQMBkSjR8QqGc6Gk+CaORNACfQG8k yIvZ7ETvsHbGI3+4K8y7030= =IqO2 -----END PGP SIGNATURE----- --UugvWAfsgieZRqgk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050208202033.GA12119>