[Tue, Feb 08, 2005 at 01:43:36PM -0600] This one time, at band camp, Bret Walker said:
> I do read it, but not every day (weekends, especially). > i use logcheck to mail me the messages log every 15 mins > Do you have a way for suspicious activity to be reported to you? > logcheck, and portsentry as well > Also, I'm tarring /usr and am going to run a diff on it compared to a > clean install. > > Bret > > -----Original Message----- > From: Redmond Militante [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 08, 2005 1:45 PM > To: Bret Walker > Subject: Re: httpd in /tmp - Sound advice sought > > > hi > > [Tue, Feb 08, 2005 at 10:46:19AM -0600] > This one time, at band camp, Bret Walker said: > > > Redmond- > > > > Here is the response I got from the list. > > > > I also found another file - shellbind.c - it's essentially this - > > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html > > (although phpBB has never been installed). > > > > I had register_globals on in PHP for a month+ because a reservation > > system I was using required them. I now know better. We also had php > > errors set to display for a while as bugs were being worked out. > > > > The owner of this file is www, so it was put in /tmp by the apache > > daemon. I messed the file up trying to tar it, so I can't get a good > > md5. Register globals and php file uploads are both off now. I don't > > think the system was compromised because anything written to /tmp > > (which is the temp dir php defaults to) could not be executed. > > > > Do you think we're safe to continue as is? > > > > this person is telling you that slapper is nothing to worry about because > it's a linux only virus - but if you didn't put httpd in /tmp then you > should be worried about this situation. > > this is probably your call what you want to do. > > > Also, I would like to talk with you about what preventative measures > > you take with herald. I know you run tripwire, but what else do you > > do on a regular basis? > > > > one thing i do is i read /var/log/messages every day. do you do that? > > > > Bret > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark A. > > Garcia > > Sent: Tuesday, February 08, 2005 9:57 AM > > To: Bret Walker > > Cc: freebsd-questions@freebsd.org > > Subject: Re: httpd in /tmp - Sound advice sought > > > > > > Bret Walker wrote: > > > > >Last night, I ran chkrootkit and it gave me a warning about being > > >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL > > >up to version 0.96d or older on Linux systems. I have only run > > >0.97d. The file that set chkrootkit off was httpd which was located > > >in /tmp. /tmp is always mounted rw, noexec. > > > > > >I update my packages (which are installed via ports) any time there > > >is a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl > > >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a > > >couple of weeks, but the only code that required it to be on was in a > > >.htaccess/SSL password protected directory. > > > > > >Tripwire didn't show anything that I noted as odd. I reexamined the > > >tripwire logs, which are e-mailed to an account off of the machine > > >immediately after completion, and I don't see anything odd for the > > >3/4 days before or after the date on the file. (I don't scan /tmp) > > > > > >I stupidly deleted the httpd file from /tmp, which was smaller than > > >the actual apache httpd. And I don't back up /tmp. > > > > > >The only info I can find regarding this file being in /tmp pertains > > >to Slapper. Could something have copied a file there? Could I have > > >done it by mistake at some point - the server's been up ~60 days, > > >plenty of time for me to forget something? > > > > > >This is production box that I very much want to keep up, so I'm > > >seeking some sound advice. > > > > > >Does this box need to be rebuilt? How could a file get written to > > >/tmp, and is it an issue since it couldn't be executed? I run > > >tripwire nightly, and haven't seen anything odd to the best of my > > >recollection. I also check ipfstat -t frequently to see if any odd > > >connections are happening. > > > > > >I appreciate any sound advice on this matter. > > > > > >Thanks, > > >Bret > > > > > > > > Slapper is a linux only virus. You shouldn't have to worry about it > > doing harm on your freebsd machine. Seeing as the binary was in your > > tmp directory on your system, and that you might have not placed it > > there, this could be a good reason for a host of other things to look > > into. The httpd binary with 96d<= ssl is not a virus itself, just a > > means to carry out the exploit. The slapper virus is a bunch of > > c-code that is put in your tmp directory and the exploit allows one to > > compile, chmod, and execute the code, leaving open a backdoor. > > > > chrootkit does scan for the comparable scalper virus which is a > > freebsd cousin to the slapper (in that they attempt to exploit the > > machine via the apache conduit.) > > > > I would think real hard, if you did put the httpd binary in there. If > > you are sure you didn't, and you are the only one with access to the > > system, then I would be very very worried. Running tripwire and > > chrootkit on a periodic basis should help. Re-installing the os isn't > > your only solution, but it does give comfort knowing that after a > > reinstall, and locking down the box, no one has a in on your system. > > This could be overboard though. > > > > You also might want to consider enabling the clean_tmp scripts. Next > > time tar up those suspicious files, a quick forensics on them can do > > wonders (md5sum, timestamps, ownership, permissions.) > > > > Cheers, > > -.mag > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "[EMAIL PROTECTED]" > > > > -- > Redmond Militante > Software Engineer / Medill School of Journalism > FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 1:30PM > up 1 day, 1:21, 2 users, load averages: 0.00, 0.04, 0.19 -- Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 2:15PM up 1 day, 2:06, 2 users, load averages: 0.07, 0.07, 0.13
pgpGhvmn2GvLn.pgp
Description: PGP signature
