On 2014-08-15, Scott Bonds <[email protected]> wrote: > I thought I was being reasonably careful: ssh disabled for root, > key-only login on my admin account, following stable, etc...then again, > I'm running owncloud and a bunch of other (no doubt less secure) > software. Perhaps I should separate the router and 'everything else' > roles, so that the router only has builtin OpenBSD software on it, no > packages. Then again, whatever the exploit, they could probably still > use it on the newly separated 'everything else' box. Anyway, I clearly > have a lot to learn about security.
Web application security is often not that great, and popular programs are subject to a lot of investigation (phpmyadmin, owncloud, wordpress, joomla, piwik, ...) - looking through 404s in error_log on pretty much any internet-facing web server will identify some of these. To reduce risk of web applications that you run which shouldn't be accessible to the public, you can do things like use your packet filter or http daemon's access controls to prevent unauthorised users from being able to access the code at all. Or make it unroutable; only access over VPN or SSH tunnel. Other generally useful things to consider: reject (and ideally log and investigate) unexpected *outgoing* connections. Check web server logs for unusual entries. And as you have suggested, isolating services reduces the scope of a breach. > On Thu, Aug 14, 2014 at 09:23:54PM -0400, Ted Unangst wrote: >> Bad news: yeah. They appear to have screwed up their rootkit by >> installing the i386 edition, ... dsfrefr: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped That isn't even for OpenBSD, file(1) would say "for OpenBSD". That's only one of the executables though; perhaps the others might be for a range of OS.. So they clearly had root and access outside of any chroot jail (if your httpd and/or php-fpm was using one) but don't seem to have done much in the way of targetted probing. Web server isn't necessarily the infection route but I'd think it was high probability; if you're lucky you might still have the evidence of the infection route in web server access logs.
