I have a gentoo web server that was compromised through URL
forging. The website didn't check untrusted variables, and a user was
able to install an executable named bdw in tmp and execute it as
apache.
It happened in the afternoon I noticed it that night. I removed the
bdw file, looked through the intrusion logs, checked for sticky bits,
ran checkrootkit and of course corrected the website. A couple of
attempts were made to use the url forging but otherwise it would
appear that the problem is taken care of. That said am I missing
something? Should I be doing something else? Is it reasonable not to
rebuild the entire system?
Thanks in advance.
Mojo
--
gentoo-security@gentoo.org mailing list
forging. The website didn't check untrusted variables, and a user was
able to install an executable named bdw in tmp and execute it as
apache.
It happened in the afternoon I noticed it that night. I removed the
bdw file, looked through the intrusion logs, checked for sticky bits,
ran checkrootkit and of course corrected the website. A couple of
attempts were made to use the url forging but otherwise it would
appear that the problem is taken care of. That said am I missing
something? Should I be doing something else? Is it reasonable not to
rebuild the entire system?
Thanks in advance.
Mojo
--
gentoo-security@gentoo.org mailing list