On Tuesday, March 15, 2005, at 09:22 AM, Francisco Hidalgo Solá wrote:
Yes, I'm sure root only files were changed, as my complete log directory that is gone. Unfortunatelly, or fortunatelly, this is my home machine hosting some sites of friends, so I never worried that much for security, only the normal things. I wasn't doing remote logging either so I have no idea what happened. I came to the same conclussion as you and other people, I must reinstall everything to be sure. But this post is mainly an attempt to be able to discover what happened and if this was a security hole in this specific version of apache or any other thing. So I know what to do on my new installation. I will start with Ivan Barrera's suggestions, chrooted apache, mod_security maybe selinux, but this bothers me so much, since this is only my home machine and I don't want to spend that much time in it... The first thing is remote logging, since I use syslog-ng in all my machines this should be very easy. Thank's for all the answers, if you know anything more about what could have been the attack I would like to hear about it. --- Dennis Speekenbrink <d.g.speekenbrink@xxxxxxxxxxxxxxx> wrote:Hi, Please keep in mind that I'm not a security expert. Something about this says that they did not get root access to the machine. Are you absolutely sure that "root-only" files we're changed? Reasons for my thinking are: The rogue processes are running under the Apache user (why not root?) You can still log in. (usually root-exploits change the root password first thing, sadly speaking from my own experience) The rogue processes are located in /tmp which is world-writeable. If access was gained through Apache, and it was indeed running as an un-priviledged user, then they would need a second exploit to raise their access level to root. By default a security breach in apache should only compromise anything that Apache can touch. On the other hand: If you're logged in and the 'who' command shows absolutely nobody, then it is obviously at fault. If non-writeable files we're modified then an Apache / php exploit alone couldn't have done it. If system logs we're deleted that is almost certainly an indicator of a root-exploit. If you conclude that root-access was indeed gained, then the machine must be considered lost. Do not try to repair it, as you can never be sure you removed all traces of the attacker. If you assume that it was only a apache / php exploit then repair is possible but a reinstall might be safer. Good luck! Dennis p.s. if you have an off-site backup or remote logging try comparing data to see what has changed.---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx___________________________________________________________ 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar ---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|