Date: Mon, 08 Mar 2004 14:56:08 -0600 From: Kirk Strauser <kirk@strauser.com> To: freebsd-questions@freebsd.org Subject: Re: hacked Message-ID: <87y8qbkqhj.fsf@strauser.com> In-Reply-To: <20040308185615.9C4CC4160BD@ws5-2.us4.outblaze.com> (re re's message of "Tue, 09 Mar 2004 02:56:15 %2B0800") References: <20040308185615.9C4CC4160BD@ws5-2.us4.outblaze.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-=-= Content-Transfer-Encoding: quoted-printable At 2004-03-08T18:56:15Z, "re re" <qt4x11@linuxmail.org> writes: > hello despite having ipfilter blocking all ports except 80 21 and 22, > tripwire, and scoring 999999 in nmap, my website got defaced. "Despite locking my door to my house, pulling the curtains, and sitting in a dark living room with a loaded gun and a Dobermann Pinscher, someone broke into my office." Your server is probably relatively secure - congratulations on proactively defending your system. However, even the most secure system in the world can run cruddy applications. If your website was running PHPNuke or something from Matt's Script Archive, then don't be surprised if your website (and possibly other files readable or writeable by the user Apache runs under) have been altered. This can be annoying, but doesn't mean that the rest of your system is 0wn3d. You mention that you have Tripwire. Excellent! The very first step is to audit that changelog like the life of your server depends on it (hint: it does). Personally, if there are more than a handful of changes to /usr/src or /usr/ports, then I'd nuke those subdirectories and repopulate them from a trusted backup or another server. Basically, don't waste hours trying to decide whether cvsup or a cracker altered /usr/ports/shells/bash2/Makefile when it's very simple to restore a known-good copy. Also, get in the habit of checking and updating your Tripwire database immediately before major file-updating processes like "make update", "make installworld", etc. That way, you can reduce a vast number of false-positives from the change list so that this is an easier task next time. Next, Keep Your Public Services Updated (tm). Don't run an old version of Apache or PHPBB if you value your security. Any skript-kiddie has an arsenal of web service attacks for popular systems. Repeat: keep up with those security patches! Good luck. It sounds like you're doing the right things. Just keep current, keep your firewall tight, don't run stuff you don't need, and keep using Tripwire. =2D-=20 Kirk Strauser "94 outdated ports on the box, 94 outdated ports. Portupgrade one, an hour 'til done, 82 outdated ports on the box." --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBATN3o5sRg+Y0CpvERAnJAAJ4r/znSGbJ9JH0/XdIc4uqVXYFyIgCbBebC GfNqXymXH+1j0Q4I0IsKxf0= =GxWB -----END PGP SIGNATURE----- --=-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87y8qbkqhj.fsf>