Date: Tue, 8 Feb 2005 15:04:51 -0600 From: Redmond Militante <r-militante@northwestern.edu> To: Bret Walker <bret-walker@northwestern.edu> Subject: Re: httpd in /tmp - Sound advice sought Message-ID: <20050208210451.GB12453@darkpossum> In-Reply-To: <028401c50e1e$677e10d0$17336981@medill.northwestern.edu> References: <20050208202033.GA12119@darkpossum> <028401c50e1e$677e10d0$17336981@medill.northwestern.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--yVhtmJPUSI46BTXb Content-Type: multipart/mixed; boundary="aVD9QWMuhilNxW9f" Content-Disposition: inline --aVD9QWMuhilNxW9f Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ok [Tue, Feb 08, 2005 at 02:40:19PM -0600] This one time, at band camp, Bret Walker said: > Thanks. > Could you send me your conf file for portsentry so I can see how you do > it? > Bret >=20 > -----Original Message----- > From: Redmond Militante [mailto:r-militante@northwestern.edu] > Sent: Tuesday, February 08, 2005 2:21 PM > To: Bret Walker > Subject: Re: httpd in /tmp - Sound advice sought >=20 >=20 > [Tue, Feb 08, 2005 at 01:43:36PM -0600] > This one time, at band camp, Bret Walker said: >=20 > > I do read it, but not every day (weekends, especially). > > >=20 > i use logcheck to mail me the messages log every 15 mins >=20 > > Do you have a way for suspicious activity to be reported to you? > > >=20 > logcheck, and portsentry as well >=20 > > Also, I'm tarring /usr and am going to run a diff on it compared to a > > clean install. > > > > Bret > > > > -----Original Message----- > > From: Redmond Militante [mailto:r-militante@northwestern.edu] > > Sent: Tuesday, February 08, 2005 1:45 PM > > To: Bret Walker > > Subject: Re: httpd in /tmp - Sound advice sought > > > > > > hi > > > > [Tue, Feb 08, 2005 at 10:46:19AM -0600] > > This one time, at band camp, Bret Walker said: > > > > > Redmond- > > > > > > Here is the response I got from the list. > > > > > > I also found another file - shellbind.c - it's essentially this - > > > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html > > > (although phpBB has never been installed). > > > > > > I had register_globals on in PHP for a month+ because a reservation > > > system I was using required them. I now know better. We also had php >=20 > > > errors set to display for a while as bugs were being worked out. > > > > > > The owner of this file is www, so it was put in /tmp by the apache > > > daemon. I messed the file up trying to tar it, so I can't get a good > > > md5. Register globals and php file uploads are both off now. I don't > > > think the system was compromised because anything written to /tmp > > > (which is the temp dir php defaults to) could not be executed. > > > > > > Do you think we're safe to continue as is? > > > > > > > this person is telling you that slapper is nothing to worry about > > because it's a linux only virus - but if you didn't put httpd in /tmp > > then you should be worried about this situation. > > > > this is probably your call what you want to do. > > > > > Also, I would like to talk with you about what preventative measures > > > you take with herald. I know you run tripwire, but what else do you > > > do on a regular basis? > > > > > > > one thing i do is i read /var/log/messages every day. do you do that? > > > > > > > Bret > > > > > > > > > > > > -----Original Message----- > > > From: owner-freebsd-questions@freebsd.org > > > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Mark A. > > > Garcia > > > Sent: Tuesday, February 08, 2005 9:57 AM > > > To: Bret Walker > > > Cc: freebsd-questions@freebsd.org > > > Subject: Re: httpd in /tmp - Sound advice sought > > > > > > > > > Bret Walker wrote: > > > > > > >Last night, I ran chkrootkit and it gave me a warning about being > > > >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL > > > >up to version 0.96d or older on Linux systems. I have only run > > > >0.97d. The file that set chkrootkit off was httpd which was located > > > >in /tmp. /tmp is always mounted rw, noexec. > > > > > > > >I update my packages (which are installed via ports) any time there > > > >is a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl > > > >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a > > > >couple of weeks, but the only code that required it to be on was in a >=20 > > > >.htaccess/SSL password protected directory. > > > > > > > >Tripwire didn't show anything that I noted as odd. I reexamined > > > >the > > > >tripwire logs, which are e-mailed to an account off of the machine > > > >immediately after completion, and I don't see anything odd for the > > > >3/4 days before or after the date on the file. (I don't scan /tmp) > > > > > > > >I stupidly deleted the httpd file from /tmp, which was smaller than > > > >the actual apache httpd. And I don't back up /tmp. > > > > > > > >The only info I can find regarding this file being in /tmp pertains > > > >to Slapper. Could something have copied a file there? Could I have > > > >done it by mistake at some point - the server's been up ~60 days, > > > >plenty of time for me to forget something? > > > > > > > >This is production box that I very much want to keep up, so I'm > > > >seeking some sound advice. > > > > > > > >Does this box need to be rebuilt? How could a file get written to > > > >/tmp, and is it an issue since it couldn't be executed? I run > > > >tripwire nightly, and haven't seen anything odd to the best of my > > > >recollection. I also check ipfstat -t frequently to see if any odd > > > >connections are happening. > > > > > > > >I appreciate any sound advice on this matter. > > > > > > > >Thanks, > > > >Bret > > > > > > > > > > > Slapper is a linux only virus. You shouldn't have to worry about it > > > doing harm on your freebsd machine. Seeing as the binary was in your > > > tmp directory on your system, and that you might have not placed it > > > there, this could be a good reason for a host of other things to look > > > into. The httpd binary with 96d<=3D ssl is not a virus itself, just a > > > means to carry out the exploit. The slapper virus is a bunch of > > > c-code that is put in your tmp directory and the exploit allows one to >=20 > > > compile, chmod, and execute the code, leaving open a backdoor. > > > > > > chrootkit does scan for the comparable scalper virus which is a > > > freebsd cousin to the slapper (in that they attempt to exploit the > > > machine via the apache conduit.) > > > > > > I would think real hard, if you did put the httpd binary in there. > > > If > > > you are sure you didn't, and you are the only one with access to the > > > system, then I would be very very worried. Running tripwire and > > > chrootkit on a periodic basis should help. Re-installing the os isn't >=20 > > > your only solution, but it does give comfort knowing that after a > > > reinstall, and locking down the box, no one has a in on your system. > > > This could be overboard though. > > > > > > You also might want to consider enabling the clean_tmp scripts. > > > Next > > > time tar up those suspicious files, a quick forensics on them can do > > > wonders (md5sum, timestamps, ownership, permissions.) > > > > > > Cheers, > > > -.mag > > > _______________________________________________ > > > freebsd-questions@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > To unsubscribe, send any mail to > > > "freebsd-questions-unsubscribe@freebsd.org" > > > > > > > > -- > > Redmond Militante > > Software Engineer / Medill School of Journalism > > FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 1:30PM > > up 1 day, 1:21, 2 users, load averages: 0.00, 0.04, 0.19 >=20 >=20 >=20 > -- > Redmond Militante > Software Engineer / Medill School of Journalism > FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 > 2:15PM up 1 day, 2:06, 2 users, load averages: 0.07, 0.07, 0.13 --=20 Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 3:00PM up 1 day, 2:51, 4 users, load averages: 0.04, 0.05, 0.17 --aVD9QWMuhilNxW9f Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="portsentry.conf" Content-Transfer-Encoding: quoted-printable # PortSentry Configuration # # $Id: portsentry.conf,v 1.23 2001/06/26 15:20:56 crowland Exp crowland $ # # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments. #=20 # The default ports will catch a large number of common probes # # All entries must be in quotes. ####################### # Port Configurations # ####################### # # # Some example port configs for classic and basic Stealth modes # # I like to always keep some ports at the "low" end of the spectrum. # This will detect a sequential port sweep really quickly and usually # these ports are not in use (i.e. tcpmux port 1) # # ** X-Windows Users **: If you are running X on your box, you need to be s= ure # you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows= users).=20 # Doing so will prevent the X-client from starting properly.=20 # # These port bindings are *ignored* for Advanced Stealth Scan Detection Mod= e. # # Un-comment these if you are really anal: #TCP_PORTS=3D"1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,= 515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,2= 0034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320" #UDP_PORTS=3D"1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640= ,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,543= 21" # # Use these if you just want to be aware: TCP_PORTS=3D"1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,= 12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320" UDP_PORTS=3D"1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,3= 2771,32772,32773,32774,31337,54321" # # Use these for just bare-bones #TCP_PORTS=3D"1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,= 32771,32772,32773,32774,49724,54320" #UDP_PORTS=3D"1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31= 337,54321" ########################################### # Advanced Stealth Scan Detection Options # ########################################### # # This is the number of ports you want PortSentry to monitor in Advanced mo= de. # Any port *below* this number will be monitored. Right now it watches=20 # everything below 1024.=20 #=20 # On many Linux systems you cannot bind above port 61000. This is because # these ports are used as part of IP masquerading. I don't recommend you # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONI= TOR=20 # OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You'= ve been # warned! Don't write me if you have have a problem because I'll only tell # you to RTFM and don't run above the first 1024 ports. # # ADVANCED_PORTS_TCP=3D"1024" ADVANCED_PORTS_UDP=3D"1024" # # This field tells PortSentry what ports (besides listening daemons) to # ignore. This is helpful for services like ident that services such=20 # as FTP, SMTP, and wrappers look for but you may not run (and probably=20 # *shouldn't* IMHO).=20 # # By specifying ports here PortSentry will simply not respond to # incoming requests, in effect PortSentry treats them as if they are # actual bound daemons. The default ports are ones reported as=20 # problematic false alarms and should probably be left alone for # all but the most isolated systems/networks. # # Default TCP ident and NetBIOS service ADVANCED_EXCLUDE_TCP=3D"113,139" # Default UDP route (RIP), NetBIOS, bootp broadcasts. ADVANCED_EXCLUDE_UDP=3D"520,138,137,67" ###################### # Configuration Files# ###################### # # Hosts to ignore IGNORE_FILE=3D"/usr/local/etc/portsentry.ignore" # Hosts that have been denied (running history) HISTORY_FILE=3D"/usr/local/etc/portsentry.history" # Hosts that have been denied this session only (temporary until next resta= rt) BLOCKED_FILE=3D"/usr/local/etc/portsentry.blocked" ############################## # Misc. Configuration Options# ############################## # # DNS Name resolution - Setting this to "1" will turn on DNS lookups # for attacking hosts. Setting it to "0" (or any other value) will shut # it off. RESOLVE_HOST =3D "1" ################### # Response Options# ################### # Options to dispose of attacker. Each is an action that will=20 # be run if an attack is detected. If you don't want a particular # option then comment it out and it will be skipped. # # The variable $TARGET$ will be substituted with the target attacking # host when an attack is detected. The variable $PORT$ will be substituted # with the port that was scanned.=20 # ################## # Ignore Options # ################## # These options allow you to enable automatic response # options for UDP/TCP. This is useful if you just want # warnings for connections, but don't want to react for =20 # a particular protocol (i.e. you want to block TCP, but # not UDP). To prevent a possible Denial of service attack # against UDP and stealth scan detection for TCP, you may=20 # want to disable blocking, but leave the warning enabled.=20 # I personally would wait for this to become a problem before # doing though as most attackers really aren't doing this. # The third option allows you to run just the external command # in case of a scan to have a pager script or such execute # but not drop the route. This may be useful for some admins # who want to block TCP, but only want pager/e-mail warnings # on UDP, etc. # #=20 # 0 =3D Do not block UDP/TCP scans. # 1 =3D Block UDP/TCP scans. # 2 =3D Run external command only (KILL_RUN_CMD) BLOCK_UDP=3D"1" BLOCK_TCP=3D"1" ################### # Dropping Routes:# ################### # This command is used to drop the route or add the host into # a local filter table.=20 # # The gateway (333.444.555.666) should ideally be a dead host on=20 # the *local* subnet. On some hosts you can also point this at # localhost (127.0.0.1) and get the same effect. NOTE THAT # 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!! # # ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you # uncomment the correct line for your OS. If you OS is not listed # here and you have a route drop command that works then please # mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES. # # NOTE: The route commands are the least optimal way of blocking # and do not provide complete protection against UDP attacks and # will still generate alarms for both UDP and stealth scans. I # always recommend you use a packet filter because they are made # for this purpose. # # Generic=20 #KILL_ROUTE=3D"/sbin/route add $TARGET$ 333.444.555.666" # Generic Linux=20 #KILL_ROUTE=3D"/sbin/route add -host $TARGET$ gw 333.444.555.666" # Newer versions of Linux support the reject flag now. This=20 # is cleaner than the above option. #KILL_ROUTE=3D"/sbin/route add -host $TARGET$ reject" # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) #KILL_ROUTE=3D"/sbin/route add $TARGET$ 333.444.555.666" # Generic Sun=20 #KILL_ROUTE=3D"/usr/sbin/route add $TARGET$ 333.444.555.666 1" # NEXTSTEP #KILL_ROUTE=3D"/usr/etc/route add $TARGET$ 127.0.0.1 1" # FreeBSD #KILL_ROUTE=3D"route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -= blackhole" # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX) #KILL_ROUTE=3D"/sbin/route add -host -blackhole $TARGET$ 127.0.0.1" # Generic HP-UX #KILL_ROUTE=3D"/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0= .0.1" ## # Using a packet filter is the PREFERRED. The below lines # work well on many OS's. Remember, you can only uncomment *one* # KILL_ROUTE option. ## # ipfwadm support for Linux #KILL_ROUTE=3D"/sbin/ipfwadm -I -i deny -S $TARGET$ -o" # # ipfwadm support for Linux (no logging of denied packets) #KILL_ROUTE=3D"/sbin/ipfwadm -I -i deny -S $TARGET$" # # ipchain support for Linux #KILL_ROUTE=3D"/sbin/ipchains -I input -s $TARGET$ -j DENY -l" # # ipchain support for Linux (no logging of denied packets) #KILL_ROUTE=3D"/sbin/ipchains -I input -s $TARGET$ -j DENY" # # iptables support for Linux #KILL_ROUTE=3D"/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP" # # For those of you running FreeBSD (and compatible) you can # use their built in firewalling as well.=20 # #KILL_ROUTE=3D"/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to a= ny" # # # For those running ipfilt (OpenBSD, etc.) # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!! # #KILL_ROUTE=3D"/bin/echo 'block in log on external_interface from $TARGET$/= 32 to any' | /sbin/ipf -f -" ############### # TCP Wrappers# ############### # This text will be dropped into the hosts.deny file for wrappers # to use. There are two formats for TCP wrappers: # # Format One: Old Style - The default when extended host processing # options are not enabled. # KILL_HOSTS_DENY=3D"ALL: $TARGET$" # Format Two: New Style - The format used when extended option # processing is enabled. You can drop in extended processing # options, but be sure you escape all '%' symbols with a backslash # to prevent problems writing out (i.e. \%c \%h ) # #KILL_HOSTS_DENY=3D"ALL: $TARGET$ : DENY" ################### # External Command# ################### # This is a command that is run when a host connects, it can be whatever # you want it to be (pager, etc.). This command is executed before the=20 # route is dropped or after depending on the KILL_RUN_CMD_FIRST option below # # # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNIN= G=20 # YOU! # # TCP/IP is an *unauthenticated protocol* and people can make scans appear = out=20 # of thin air. The only time it is reasonably safe (and I *never* think it = is=20 # reasonable) to run reverse probe scripts is when using the "classic" -tcp= mode.=20 # This mode requires a full connect and is very hard to spoof. # # The KILL_RUN_CMD_FIRST value should be set to "1" to force the command=20 # to run *before* the blocking occurs and should be set to "0" to make the= =20 # command run *after* the blocking has occurred.=20 # #KILL_RUN_CMD_FIRST =3D "0" # # #KILL_RUN_CMD=3D"/some/path/here/script $TARGET$ $PORT$" ##################### # Scan trigger value# ##################### # Enter in the number of port connects you will allow before an=20 # alarm is given. The default is 0 which will react immediately. # A value of 1 or 2 will reduce false alarms. Anything higher is=20 # probably not necessary. This value must always be specified, but # generally can be left at 0.=20 # # NOTE: If you are using the advanced detection option you need to # be careful that you don't make a hair trigger situation. Because # Advanced mode will react for *any* host connecting to a non-used # below your specified range, you have the opportunity to really=20 # break things. (i.e someone innocently tries to connect to you via=20 # SSL [TCP port 443] and you immediately block them). Some of you # may even want this though. Just be careful. # SCAN_TRIGGER=3D"0" ###################### # Port Banner Section# ###################### # # Enter text in here you want displayed to a person tripping the PortSentry. # I *don't* recommend taunting the person as this will aggravate them. # Leave this commented out to disable the feature # # Stealth scan detection modes don't use this feature # #PORT_BANNER=3D"** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEM= PT HAS BEEN LOGGED. GO AWAY." # EOF --aVD9QWMuhilNxW9f-- --yVhtmJPUSI46BTXb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFCCSly7g+NJl/fSB0RAnDjAKDF8IiAJTTRfJbENPOYBYvPbRs12ACfThP4 rLmJ3VTO3MRyESYoXLwI1d8= =2/Yn -----END PGP SIGNATURE----- --yVhtmJPUSI46BTXb--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050208210451.GB12453>