Date: Fri, 29 Dec 2006 11:07:48 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: stable@freebsd.org Subject: Re: system breach Message-ID: <4594F704.60308@infracaninophile.co.uk> In-Reply-To: <20061228231226.GA16587@lordcow.org> References: <20061228231226.GA16587@lordcow.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB95091CD38B92BACC09AECE5
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable
gareth wrote:
> Oct 23 00:31:42 lordcow kernel: pid 48464 (conftest), uid 0: exited on =
signal 12 (core dumped)
> Oct 23 01:19:26 lordcow kernel: pid 17512 (conftest), uid 0: exited on =
signal 12 (core dumped)
These are from autoconf testing various capabilities of the system to do
with signal handling -- nothing to be worried about. =20
> hey guys, my server rebooted a few days ago, and while i was
> looking around for possible reasons (none came up, which's
> disconcerting in itself) i found this suspicious directory:
>=20
> $ ls -l /tmp/download
> total 44
> drwxr-xr-x 4 root wheel 512 Oct 23 16:28 Archive_Tar-1.3.1
> drwxr-xr-x 3 root wheel 512 Oct 23 16:28 Console_Getopt-1.2
> drwxr-xr-x 3 root wheel 512 Oct 23 16:28 XML_RPC-1.5.0
> -rw-r--r-- 1 root wheel 15433 Jul 12 02:09 package.xml
> -rw-r--r-- 1 root wheel 22193 Jul 12 02:09 package2.xml
>=20
>=20
> the subdirs contain a bunch've .php files, and the xml files
> are info about version updates of PEAR'S "XML-RPC for PHP".
> they're owned by root (only i have the passwd) so it wasn't
> made by a local user, and i assume it wasn't made by portupgrade
> or something like that?
Are you running a web server as root on this machine? This illustrates
why that is such a bad idea... If you aren't running a web server,
but only using PHP as a command line tool, then have you been doing any
work with such things as IDEs or other large toolsets? They often
have the capability to download and install extra bits at a mouseclick.
Generally if you have a compromise in a PHP based webserver, you'll
see the compromised machine used as a spam-bot or similar. Check the
contents of your mail spool. Use tcpdump / wireshark to monitor the
traffic to and from the machine to look for suspicious activity.
If you've got the permissions right, then the attackers will not be
able to write to the hard drive through compromising the webserver,
which means that a stop and restart of Apache will thwart their
nefarious plans, at least until they can recompromise your server.
Generally that's about 5 -- 15 minutes, as all that sort of stuff is
pretty automated nowadays.
The best defense against all of this sort of stuff is to be fully
patched and up to date with all your installed software. PHP is a
nightmare security wise -- the whole language tends to steer developers
into doing sloppy and insecure things by default. Well known, big
projects like phpMyAdmin or Horde will generally code stuff pretty
tightly, but the rest often need a severe beating with the clue stick.
Even the well-managed projects will have their problems, and in fact
one of the measures of a well-managed project is how promptly they deal
with security problems and how open they are about revealing such things.=
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigB95091CD38B92BACC09AECE5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFlPcL8Mjk52CukIwRCLkQAJ9Hlkx3ZGB2daZBoUPFLkvOcrjqmACfe62A
/ahVGA+TSV16ZM5iAFzYdrk=
=yi6f
-----END PGP SIGNATURE-----
--------------enigB95091CD38B92BACC09AECE5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4594F704.60308>