Security Experts, help, what is this (bad stuff)? - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Security Experts, help, what is this (bad stuff)?

On Sun, 01 May 2005 22:17:35 +0000, Ohmster wrote:

Quoted text here. Click to load it

Your thanks are accepted with a "you are welcome".  ;/

Anything that you feel you need to say that is related to security is not
"off topic" and can be posted here.

Whatever you feel you need to say to me personally, or you think is
personal or off-topic you can e-mail to me (remove the white spaces and
interpret the "at"'s) at n e w s b o x a t c u s t o m e r s - o f - a d e
l p h i a d o t o r g

I may repost anything you send me right back here, or not.

Too bad you had to try three tines to say what you wanted.  If this were
real time, well, well,well,well,well,well,well,well,...

Re: Security Experts, help, what is this (bad stuff)?

Quoted text here. Click to load it


ohmster at newsguy dot com

Re: Security Experts, help, what is this (bad stuff)?

Quoted text here. Click to load it

Ohmster, there's a reason why advice _starts_ with "Get it off the Net,
NOW:"  Your very first and most important task simply has to be to
reassert control over any root-compromised machine.  Until you do that,
you don't know what the machine is really doing and what it's about to
do.  It may be committing criminal acts in your name.  It may be sending
out your business data to unknown third parties.  

It may be about to execute a planned auto-erase of all your hard drives.

Thus, the standard first step that is _always_ recommended is to
reassert control by bringing the machine down immediately -- I would
even (normally) just cut the power -- and only then taking other
recovery and rebuilding steps.

It's admittedly painful to deal with the resulting downtime, while you
construct a substitute box, but you may be averting a _lot_ worse things
by so doing.  I'm sorry it's unpalateable advice, but we're honestly not
kidding, and have excellent reasons for making the recommendation -- and
(speaking for myself) follow it, ourselves.

Don't kid yourself into thinking this matters only to sysadmins:  If
you're running network daemons on the Internet, you're a sysadmin.
Congratulations.  Now, don't screw up.  ;->

Rick Moen                      "vi is my shepherd; I shall not font."                               -- Psalm 0.1 beta

Re: Security Experts, help, what is this (bad stuff)?


Quoted text here. Click to load it

Agreed. You all were right, maybe you did not have the evidence to show
it at the time, but I looked and I looked and gosh darn it, you were all
right. Looks like I got nailed with either the phpbb or awstats hack,
either one or both, but I had both doors open and I got hit. Bastards
were running stupid stuff in /var/tmp, all as user apache. Thank God that
apache did not run with root access. They got a virus in, could not run
it at root though. They got tons of spam through, because apache could
indeed mail. Intersting, sucks, but really interesting.

Will do much better with FC3, emphasis on security this time and no
stupid stuff like awstats or phpbb unless they could be deemed "safe". At
the time that I installed phpbb and awstats, they were considered safe,
but the baddies got in and the exploit was found later. Do you think that
awstats or phpbb could ever be truly considered "safe" to install and
run, even though these exploits have been found and patched out of the
programs? I like awstats and I like phpbb but if that means I am open to
another hack attack, then no dice.
ohmster at newsguy dot com

Re: Security Experts, help, what is this (bad stuff)?

On Wed, 04 May 2005 02:05:37 GMT,
    Ohmster ( wrote:
Quoted text here. Click to load it

Most often the "baddies" are script kiddies.  I don't know how old the
phpbb and awstats exploits are, but the odds are high that they weren't
first discovered on your system, i.e. the baddies most likely got in
_after_ the exploit was known, rather than discover it first on your
Many a smale maketh a grate -- Geoffrey Chaucer

Re: Security Experts, help, what is this (bad stuff)?

Quoted text here. Click to load it

Thanks for all of your help, Bev. I have fedora core 3 up and running and
did not install any stats or message boards. Will have to be very careful
about that in the future.

ohmster at newsguy dot com

Re: Security Experts, help, what is this (bad stuff)?

Quoted text here. Click to load it

Dammit, I _hate_ it when that happens!  ;->

Quoted text here. Click to load it

Honestly, by April 2005, RH9 had so many unfixed holes in it that it's
pretty much academic.  That's probably why most people here went so
directly and forcefully to the "Get it off the Net" phase:  We all
thought, "Let's see, last updates for RH9 would have been April '04,
so he's almost certainly been running a completely unmaintained distro
for a full year.  _With_ phpbb and CGIs?  He's toast.  Wipe and
reinstall -- and it'd take a miracle to figure out which of the myriad
likely vulnerbilities the kiddies used."

Security is a somewhat difficult problem -- but (in many cases) figuring
out the exact path by which a machine was compromised is _really_
difficult.  Running a file-based IDS (aka integrity checker) such as
AIDE, Integrit, Samhain, Tripwire, etc. makes it easier, because (if the
baddies didn't just wipe out the IDS records) you can at least see what
got changed.  But you didn't have one of those.

Quoted text here. Click to load it

So, here's one more discomfiting question, to add to your existing pile:
How do you _know_ the kiddies didn't get root?  It's a tough and subtle
question -- one that might equally be asked of any other Linux admin, at
any time:  What's the nature of your reason to believe that your system
hasn't been cracked?  We normally have mostly absence of evidence to
draw upon:  We look around for suspicious activity, fail to find any,
and guess/conclude that (we think, we hope) nobody has compromised our
system security.

A properly set up, configured, and monitored file-based IDS adds to that
picture an additional, slightly higher grade of justification for that
belief:  We then know that, as of the last IDS report, if we've
succeeded in making it tamper-resistant and made it watch all the right
things, a bunch of files we consider crucial haven't been fooled with.

Further beyond that, you can check machine A from a second, nearby
machine B, where a network IDS (nmap, snort, nessus...) watches machine
A for suspicious network activity.  

Potentially, all of this paranoia could chew up too much of your time,
so you script and automate where you can.  Welcome to my profession.

Quoted text here. Click to load it

Let's talk about those individually.  awstats is the easy one:  The fact
that it posts system stats on a Web page isn't dangerous.  What's
dangerous is that it does so via a (not-well-designed-and-debugged) CGI.
Programs that can be fed arbitrary data from the public need to be
_very_ carefully written, taking great care to "sanitise" (validate)
input data; otherwise, a canny member of the public can overload the
input routines with deliberately malformed, and/or excessive data
designed to overflow program structure and trigger a fault condition
that the bad guys can exploit.

Guess what?  A CGI like awstats _does_ accept public input -- in the
form of data passed to it from the URL.  But awstats has proven to be
buggy in its input handling.

There's no reason why awstats _needs_ to run as a CGI in order to merely
generate Web statistics.  The obvious alternative would be to set it up
as a cronjob, preventing crafty members of the public from attacking it
from its URL input interface.

Want to know how exactly to do that, with awstats?  Well, sorry, I
haven't yet had time to look into that.  So far, I've merely deinstalled
the thing, intending to look into the matter later.

OK, that leaves the more-complex matter, that of developed PHP apps such
as (in particular) phpBB.  The phpBB codebase has had quite a string of
problems, over the last couple of years.  I also remember the
development site's docs acknowledging for a while that, yeah, requiring
you to have "register_globals = On" in php.ini was security-reckless,
but you'll just have to live with that until they rewrite a bunch of
their code.  I vaguely recall that they eventually fixed that, but I was
rather less than impressed.

As to the bigger picture, of how you decide what PHP apps are
sufficiently safe, and what php.ini configuration is acceptable, and how
you fix (if at all) PHP things that break when you tighten php.ini more
than they can cope with -- well, I wasn't kidding when I said I would be
seeing if there were an article in this for me.  When/if I write it,
you'll have to read it mostly there (wherever "there" is), and not here.

If you missed the list of URLs where you can read about / research PHP
security issues, I've archived it and some other stuff, here:

"PHP" on /

Cheers,                 "Heedless of grammar, they all cried 'It's him!'"
Rick Moen                       -- R.H. Barham, _Misadventure at Margate_

Re: Security Experts, help, what is this (bad stuff)?

| I have been having what I thought was a formmail exploit on my machine.
| know that when I have these spam attacks, I have an unknown process
| running and owned by apache that takes up 99% CPU.

Also look for CGI scripts with any of the following names,
many of which showed up in a machine I help support which
was attacked multiple times last year:


The "" turned out to be particularly nasty, in
that when it is accessed it gives a "CGI-Telnet" login screen!!
[That's right, a !@&^%$@# web-based *shell*!!]


627 26th Avenue            <URL:
San Mateo, CA 94403        (650)572-2607

Site Timeline