Hi Luis:
thanks.
>
> Did you check to see whether /usr/sbin/apache2 was modified? Or was it
> only the running process that had somehow been stack-overflow'd?
>
I checked the apache using debsums seems ok.
shopping:/usr/sbin# debsums apache2-mpm-prefork
/usr/sbin/apache2
OK
/usr/share/doc/apache2-mpm-prefork/NEWS.Debian.gz
OK
/usr/share/doc/apache2-mpm-prefork/copyright
OK
/usr/share/doc/apache2-mpm-prefork/changelog.gz
OK
/usr/share/doc/apache2-mpm-prefork/changelog.Debian.gz
OK
How can I check a process being stack-overflowed or not?
> IMHO, I'd declare this box as "compromised" and redo the whole thing.
> Copy all data to a new box and install tripwire (or something of that
> sort), plus follow the Debian security manual to the last bit, before
> putting the box online again.
will do. I had tripwire turned on before, it seems quite slow. so
I turned it off.
>
> A few links:
>
> http://www.debian.org/doc/manuals/securing-debian-howto
> http://wiki.debian.org/SELinux/Setup
> http://wiki.debian.org/Hardening|Hardening<http://wiki.debian.org/Hardening%7CHardening>
>
great links.
>
> I know that you already had SELinux enabled (after the fact?). So, you
> might already have enough information to build a better box.
>
Yah, it is a after the fact action. but I have those parameters
for SELinux, some lib/apps need that. which may not safe,
allow_execstack --> on
allow_execmem --> on
allow_execmod --> off
allow_execheap --> off
if the allow_execstack was off and the application was stack
over-flowed, will over-flowed code be constrained by SELinux?
--
Best Regards
Mike
