You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by System Administrator <ha...@gmail.com> on 2005/09/27 17:46:36 UTC
[users@httpd] Machine compromised via apache 2.0.54... I think.
Because of many recent attacks on my machines in the last few months,
I built a new machine using a processor with a No-Execute bit. I put
all my sites on there with Apache 2.0.54 and patched everything to
date. I only allow port 80, 443, ftp and ssh to reach the machine.
There is only one user on the machine, me. The FTP authentication is
handled by an NcFTPd internal database. The other day, my machine was
flooding the network and nothing worked. I checked top and there was
a perl script called leet.pl running. I did a find and there were
several perl scripts owned by user apache in my /tmp. They all seemed
to be connect-back scripts.
I'm no expert on security, but it seems odd to me that a remote user
could use apache to write to my /tmp directory and then execute the
script. Any idea how this happened? How do I prevent it in the
future? How do I sterilize my machine?
Thanks for the help.
Farmer J
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Machine compromised via apache 2.0.54... I think.
Posted by Nick Kew <ni...@webthing.com>.
On Tuesday 27 September 2005 16:46, System Administrator wrote:
> I'm no expert on security, but it seems odd to me that a remote user
> could use apache to write to my /tmp directory and then execute the
> script. Any idea how this happened?
Almost certainly through some server extension, such as a CGI or PHP script.
There are two parts: one is writing to /tmp, the other is executing it.
To prevent writing to /tmp may be feasible, but is likely to cripple other
applications. Running in a chroot jail might just work. You can and should
prevent apache writing anywhere else in your filesystem using standard
file protections. Some legitimate applications may require write access,
for which see below.
To prevent execution, you should mount /tmp, and any other directories
with write access for Apache, as noexec. This again is a filesystem property.
Now go and read Lincoln Stein's WWW security FAQ, followed by Ivan Ristic's
book if the FAQ doesn't satisfy you, or if your situation is complex (e.g. if
you allow third-party CGI or PHP scripts, or *any* PHP not in "safe mode").
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Machine compromised via apache 2.0.54... I think.
Posted by Joshua Slive <js...@gmail.com>.
On 9/27/05, Farmer J <ha...@gmail.com> wrote:
> I guess I need to read up on securing apache. How do you secure a
> machine that runs cgi scripts when the users are able to upload their
> own scripts? It would be impossible to review every script on the
> machine to see if it is secure. There must be a better way.
If you allow untrused people to run arbitrary programs on your server,
then there is really no way to secure it. But there are some things
that can help to isolate problems when they occur. For example, you
should look into suexec and selinux.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Machine compromised via apache 2.0.54... I think.
Posted by Farmer J <ha...@gmail.com>.
On 9/27/05, Ricardo Stella <st...@rider.edu> wrote:
>
> The fact you got hacked means that whatever happened before is still
> hapenning. That is, are you sure you don't have any odd cgi scripts
> running that could be easily compromised ?
>
> Yes, there are zero day exploits, but make sure all your other related
> apps. are up to date. Ie, you could have old ssl libraries and then ssh
> or even apache ssh could be exploited...
>
> My .02...
I guess I need to read up on securing apache. How do you secure a
machine that runs cgi scripts when the users are able to upload their
own scripts? It would be impossible to review every script on the
machine to see if it is secure. There must be a better way.
This is a brand new machine running FC4 and then yum updated. I
suppose it's possible for it to have outdated libraries, but I doubt
it.
I can't be the only one with security problems. What measures do you
guys take to make sure your machines can't be compromised?
Farmer J
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Machine compromised via apache 2.0.54... I think.
Posted by Ricardo Stella <st...@rider.edu>.
The fact you got hacked means that whatever happened before is still
hapenning. That is, are you sure you don't have any odd cgi scripts
running that could be easily compromised ?
Yes, there are zero day exploits, but make sure all your other related
apps. are up to date. Ie, you could have old ssl libraries and then ssh
or even apache ssh could be exploited...
My .02...
System Administrator wrote:
>Because of many recent attacks on my machines in the last few months,
>I built a new machine using a processor with a No-Execute bit. I put
>all my sites on there with Apache 2.0.54 and patched everything to
>date. I only allow port 80, 443, ftp and ssh to reach the machine.
>There is only one user on the machine, me. The FTP authentication is
>handled by an NcFTPd internal database. The other day, my machine was
>flooding the network and nothing worked. I checked top and there was
>a perl script called leet.pl running. I did a find and there were
>several perl scripts owned by user apache in my /tmp. They all seemed
>to be connect-back scripts.
>
>I'm no expert on security, but it seems odd to me that a remote user
>could use apache to write to my /tmp directory and then execute the
>script. Any idea how this happened? How do I prevent it in the
>future? How do I sterilize my machine?
>
>Thanks for the help.
>
>Farmer J
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
--
°(((=((===°°°(((===========================================
RE: [users@httpd] Machine compromised via apache 2.0.54... I think.
Posted by Station51 Donations <do...@station51.net>.
I think it depends on how the scripts are being written there. From what I
know, and I could be wrong, you would need to be running something on the
server that would be giving the attacker some method of exploiting things.
Whether this be some kind of control panel, or something. From my knowledge,
and as I said, I again could be wrong, just plain static html pages wouldn't
give the attacker the ability to write to the filesystem. Its usually in
combination with a system running PHP and/or some kind of CGI script.
If you want to stop them dead, uninstall perl and remove mod_cgi from apache
if its installed. The .pl files require Perl to run. If you don't have it on
the system, they simply wont run. But neither will anything else that uses
perl.
I wish I had some answers for you. I know how stressful these things can be.
Thanks,
Bill
-----Original Message-----
From: Farmer J [mailto:hackersreallysuck@gmail.com]
Sent: Tuesday, September 27, 2005 11:05 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Machine compromised via apache 2.0.54... I think.
We don't run PHP on this machine. There must be a way at the Web
server level to prohibit it from writing scripts to the filesystem and
then executing them. Right??
On 9/27/05, Station51 Donations <do...@station51.net> wrote:
> Hello,
>
> We discovered this problem on our own server quite some time ago. It was
> linked to a problem with the forum software, phpBB. If you or anyone on
the
> server (customers etc) are running it, they should be advised to upgrade
to
> the latest versions. This also goes for any *Nuke software such as
postnuke
> and other content management systems. Their spaghetti coded and often have
a
> lot of security problems. Our servers are now forbidding clients to
install
> any nuke CMSes as well as install phpBB because we feel its simply not
worth
> the risk of our entire customer base.
>
> Someone here probably has more technical documentation about the specific
> phpBB/webalizer bug I'm referring to.
>
> Thanks,
> Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Machine compromised via apache 2.0.54... I think.
Posted by Farmer J <ha...@gmail.com>.
We don't run PHP on this machine. There must be a way at the Web
server level to prohibit it from writing scripts to the filesystem and
then executing them. Right??
On 9/27/05, Station51 Donations <do...@station51.net> wrote:
> Hello,
>
> We discovered this problem on our own server quite some time ago. It was
> linked to a problem with the forum software, phpBB. If you or anyone on the
> server (customers etc) are running it, they should be advised to upgrade to
> the latest versions. This also goes for any *Nuke software such as postnuke
> and other content management systems. Their spaghetti coded and often have a
> lot of security problems. Our servers are now forbidding clients to install
> any nuke CMSes as well as install phpBB because we feel its simply not worth
> the risk of our entire customer base.
>
> Someone here probably has more technical documentation about the specific
> phpBB/webalizer bug I'm referring to.
>
> Thanks,
> Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Machine compromised via apache 2.0.54... I think.
Posted by Station51 Donations <do...@station51.net>.
Hello,
We discovered this problem on our own server quite some time ago. It was
linked to a problem with the forum software, phpBB. If you or anyone on the
server (customers etc) are running it, they should be advised to upgrade to
the latest versions. This also goes for any *Nuke software such as postnuke
and other content management systems. Their spaghetti coded and often have a
lot of security problems. Our servers are now forbidding clients to install
any nuke CMSes as well as install phpBB because we feel its simply not worth
the risk of our entire customer base.
Someone here probably has more technical documentation about the specific
phpBB/webalizer bug I'm referring to.
Thanks,
Bill
-----Original Message-----
From: System Administrator [mailto:hackersreallysuck@gmail.com]
Sent: Tuesday, September 27, 2005 10:47 AM
To: users@httpd.apache.org
Subject: [users@httpd] Machine compromised via apache 2.0.54... I think.
Because of many recent attacks on my machines in the last few months,
I built a new machine using a processor with a No-Execute bit. I put
all my sites on there with Apache 2.0.54 and patched everything to
date. I only allow port 80, 443, ftp and ssh to reach the machine.
There is only one user on the machine, me. The FTP authentication is
handled by an NcFTPd internal database. The other day, my machine was
flooding the network and nothing worked. I checked top and there was
a perl script called leet.pl running. I did a find and there were
several perl scripts owned by user apache in my /tmp. They all seemed
to be connect-back scripts.
I'm no expert on security, but it seems odd to me that a remote user
could use apache to write to my /tmp directory and then execute the
script. Any idea how this happened? How do I prevent it in the
future? How do I sterilize my machine?
Thanks for the help.
Farmer J
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org