hi [Tue, Feb 08, 2005 at 10:46:19AM -0600] This one time, at band camp, Bret Walker said:
> Redmond- > > Here is the response I got from the list. > > I also found another file - shellbind.c - it's essentially this - > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html > (although phpBB has never been installed). > > I had register_globals on in PHP for a month+ because a reservation system > I was using required them. I now know better. We also had php errors set > to display for a while as bugs were being worked out. > > The owner of this file is www, so it was put in /tmp by the apache daemon. > I messed the file up trying to tar it, so I can't get a good md5. > Register globals and php file uploads are both off now. I don't think the > system was compromised because anything written to /tmp (which is the temp > dir php defaults to) could not be executed. > > Do you think we're safe to continue as is? > this person is telling you that slapper is nothing to worry about because it's a linux only virus - but if you didn't put httpd in /tmp then you should be worried about this situation. this is probably your call what you want to do. > Also, I would like to talk with you about what preventative measures you > take with herald. I know you run tripwire, but what else do you do on a > regular basis? > one thing i do is i read /var/log/messages every day. do you do that? > Bret > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark A. Garcia > Sent: Tuesday, February 08, 2005 9:57 AM > To: Bret Walker > Cc: freebsd-questions@freebsd.org > Subject: Re: httpd in /tmp - Sound advice sought > > > Bret Walker wrote: > > >Last night, I ran chkrootkit and it gave me a warning about being > >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL up > >to version 0.96d or older on Linux systems. I have only run 0.97d. > >The file that set chkrootkit off was httpd which was located in /tmp. > >/tmp is always mounted rw, noexec. > > > >I update my packages (which are installed via ports) any time there is > >a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl > >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a > >couple of weeks, but the only code that required it to be on was in a > >.htaccess/SSL password protected directory. > > > >Tripwire didn't show anything that I noted as odd. I reexamined the > >tripwire logs, which are e-mailed to an account off of the machine > >immediately after completion, and I don't > >see anything odd for the 3/4 days before or after the date on the file. > >(I don't scan /tmp) > > > >I stupidly deleted the httpd file from /tmp, which was smaller than the > >actual apache httpd. And I don't back up /tmp. > > > >The only info I can find regarding this file being in /tmp pertains to > >Slapper. Could something have copied a file there? Could I have done > >it by mistake at some point - the server's been up ~60 days, plenty of > >time for me to forget something? > > > >This is production box that I very much want to keep up, so I'm seeking > >some sound advice. > > > >Does this box need to be rebuilt? How could a file get written to > >/tmp, and is it an issue since it couldn't be executed? I run tripwire > >nightly, and haven't seen anything odd to the best of my recollection. > >I also check ipfstat -t frequently to see if any odd connections are > >happening. > > > >I appreciate any sound advice on this matter. > > > >Thanks, > >Bret > > > > > Slapper is a linux only virus. You shouldn't have to worry about it > doing harm on your freebsd machine. Seeing as the binary was in your > tmp directory on your system, and that you might have not placed it > there, this could be a good reason for a host of other things to look > into. The httpd binary with 96d<= ssl is not a virus itself, just a > means to carry out the exploit. The slapper virus is a bunch of c-code > that is put in your tmp directory and the exploit allows one to compile, > chmod, and execute the code, leaving open a backdoor. > > chrootkit does scan for the comparable scalper virus which is a freebsd > cousin to the slapper (in that they attempt to exploit the machine via > the apache conduit.) > > I would think real hard, if you did put the httpd binary in there. If > you are sure you didn't, and you are the only one with access to the > system, then I would be very very worried. Running tripwire and > chrootkit on a periodic basis should help. Re-installing the os isn't > your only solution, but it does give comfort knowing that after a > reinstall, and locking down the box, no one has a in on your system. > This could be overboard though. > > You also might want to consider enabling the clean_tmp scripts. Next > time tar up those suspicious files, a quick forensics on them can do > wonders (md5sum, timestamps, ownership, permissions.) > > Cheers, > -.mag > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 1:30PM up 1 day, 1:21, 2 users, load averages: 0.00, 0.04, 0.19
pgpu76wLNdjsN.pgp
Description: PGP signature
