Mailing List Archive

* On Feb 14 14:40, Mojo B. Nichols (mnichols@mojosoft.org) wrote:
> Is it reasonable not to rebuild the entire system?

I'm always afraid of attacks like this. Personally, I would delete your
entire web tree and replace it from a backup. If your apache user has
access to much else, I'd thoroughly check/replace it all. Anything
world-writeable, like the /tmp directory it was in, needs to be scoured
as well. I don't think it's necessary to do a full rebuild, unless the
apache user has access to other areas of the system, which it shouldn't...
Tom

How reliable are your logs?
You want to know everything he touched while in the machine.. do you
have any IDS like tripwire or AIDE?

Did you detect any root crack attempt?
if you _know_ that it didn't hacked root, thats OKay...

Does your kernel load modules?
Its easy to make a linux kernel rootkit which is not detected by
chrootkit and others, and to hide itself totally.

Also, how "doable" is a reinstall? The _only_ safe bet is total
reinstall and restore from backups.
If you have reliable mechanisms to know what he did, and some
assurance that he didn't got root... its okay to just "fix" the
problem.

I've seen some root breakins that were quite kiddie and all they did
was put a irc bot working + a remote shell access..., those are easy
to fix... the problem is that a _well done_ hack is not traceable from
the moment the cracker got root (thats if he can modify the running
kernel, through modules or direct injection on /dev/kmem or
/proc/kcore.



On Mon, 14 Feb 2005 04:59:17 -0800 (PST), Mojo B. Nichols
<mnichols@mojosoft.org> wrote:
>
>
> I have a gentoo web server that was compromised through URL
> forging. The website didn't check untrusted variables, and a user was
> able to install an executable named bdw in tmp and execute it as
> apache.
>
> It happened in the afternoon I noticed it that night. I removed the
> bdw file, looked through the intrusion logs, checked for sticky bits,
> ran checkrootkit and of course corrected the website. A couple of
> attempts were made to use the url forging but otherwise it would
> appear that the problem is taken care of. That said am I missing
> something? Should I be doing something else? Is it reasonable not to
> rebuild the entire system?
>
> Thanks in advance.
>
> Mojo
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list

I highly agree. Anything other than a total reload is not an option in my
opinion. Next time around you might want to chroot apache or at least
mount /tmp with noexec. I've seen a couple emerges not work with that, so
I just unmounted /tmp, emerged package, remounted /tmp. With noexec on
/tmp you can avoid a lot of kiddie breakins. Also, snort_inline (it's in
portage :)) works terrifically at stopping malicious requests to your web
server.

Please let me know if you would like detailed information on setting any
of this up. It's a little work that's worth a lot later. ;)

good luck!

hth


> How reliable are your logs?
> You want to know everything he touched while in the machine.. do you
> have any IDS like tripwire or AIDE?
>
> Did you detect any root crack attempt?
> if you _know_ that it didn't hacked root, thats OKay...
>
> Does your kernel load modules?
> Its easy to make a linux kernel rootkit which is not detected by
> chrootkit and others, and to hide itself totally.
>
> Also, how "doable" is a reinstall? The _only_ safe bet is total
> reinstall and restore from backups.
> If you have reliable mechanisms to know what he did, and some
> assurance that he didn't got root... its okay to just "fix" the
> problem.
>
> I've seen some root breakins that were quite kiddie and all they did
> was put a irc bot working + a remote shell access..., those are easy
> to fix... the problem is that a _well done_ hack is not traceable from
> the moment the cracker got root (thats if he can modify the running
> kernel, through modules or direct injection on /dev/kmem or
> /proc/kcore.
>
>
>
> On Mon, 14 Feb 2005 04:59:17 -0800 (PST), Mojo B. Nichols
> <mnichols@mojosoft.org> wrote:
>>
>>
>> I have a gentoo web server that was compromised through URL
>> forging. The website didn't check untrusted variables, and a user was
>> able to install an executable named bdw in tmp and execute it as
>> apache.
>>
>> It happened in the afternoon I noticed it that night. I removed the
>> bdw file, looked through the intrusion logs, checked for sticky bits,
>> ran checkrootkit and of course corrected the website. A couple of
>> attempts were made to use the url forging but otherwise it would
>> appear that the problem is taken care of. That said am I missing
>> something? Should I be doing something else? Is it reasonable not to
>> rebuild the entire system?
>>
>> Thanks in advance.
>>
>> Mojo
>>
>> --
>> gentoo-security@gentoo.org mailing list
>>
>>
>
>
> --
> Miguel Sousa Filipe
>
> --
> gentoo-security@gentoo.org mailing list
>
>



--
gentoo-security@gentoo.org mailing list

>>>>> "Miguel" == Miguel Filipe <miguel.filipe@gmail.com> writes:

> How reliable are your logs? You want to know everything he touched
> while in the machine.. do you have any IDS like tripwire or AIDE?

Yeah I run aide, and it was isolated to that one file in tmp.


> Did you detect any root crack attempt? if you _know_ that it didn't
> hacked root, thats OKay...

How would I detect root crack attempts?


> Does your kernel load modules? Its easy to make a linux kernel
> rootkit which is not detected by chrootkit and others, and to hide
> itself totally.

It does load modules:-(

> Also, how "doable" is a reinstall? The _only_ safe bet is total
> reinstall and restore from backups. If you have reliable mechanisms
> to know what he did, and some assurance that he didn't got
> root... its okay to just "fix" the problem.

The data is backed up and could be restored from scratch. I would
have to of course take the box down.



Thanks,



--
gentoo-security@gentoo.org mailing list