From owner-freebsd-questions@FreeBSD.ORG Tue Feb 8 19:41:04 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B195616A4CE for ; Tue, 8 Feb 2005 19:41:04 +0000 (GMT) Received: from merle.it.northwestern.edu (merle.it.northwestern.edu [129.105.16.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09EC343D49 for ; Tue, 8 Feb 2005 19:41:04 +0000 (GMT) (envelope-from r-militante@northwestern.edu) Received: (from mailnull@localhost) by merle.it.northwestern.edu (8.12.10/8.12.10) id j18Jf3eS000587; Tue, 8 Feb 2005 13:41:03 -0600 (CST) Received: from merle.it.northwestern.edu (darkpossum.medill.northwestern.edu [129.105.246.24]) by merle.it.northwestern.edu via smap (V2.0) id xma029840; Tue, 8 Feb 05 13:40:45 -0600 Date: Tue, 8 Feb 2005 13:45:03 -0600 From: Redmond Militante To: Bret Walker Message-ID: <20050208194503.GA9298@darkpossum> References: <4208E148.8060301@hamletinc.com> <01c601c50dfd$b77d3410$17336981@medill.northwestern.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MGYHOYXEY6WxJCY8" Content-Disposition: inline In-Reply-To: <01c601c50dfd$b77d3410$17336981@medill.northwestern.edu> User-Agent: Mutt/1.4.2.1i X-Sender: redmond@darkpossum.medill.northwestern.edu X-URL: http://darkpossum.medill.northwestern.edu/gnupg.php X-PGP-Fingerprint: 2AA2 E78E A6FC 9144 3534 39A2 EE0F 8D26 5FDF 481D X-Mailman-Approved-At: Wed, 09 Feb 2005 13:45:50 +0000 Subject: Re: httpd in /tmp - Sound advice sought X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Redmond Militante List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 19:41:04 -0000 --MGYHOYXEY6WxJCY8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi [Tue, Feb 08, 2005 at 10:46:19AM -0600] This one time, at band camp, Bret Walker said: > Redmond- >=20 > Here is the response I got from the list. >=20 > I also found another file - shellbind.c - it's essentially this - > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html > (although phpBB has never been installed). >=20 > I had register_globals on in PHP for a month+ because a reservation system > I was using required them. I now know better. We also had php errors set > to display for a while as bugs were being worked out. >=20 > The owner of this file is www, so it was put in /tmp by the apache daemon. > I messed the file up trying to tar it, so I can't get a good md5. > Register globals and php file uploads are both off now. I don't think the > system was compromised because anything written to /tmp (which is the temp > dir php defaults to) could not be executed. >=20 > Do you think we're safe to continue as is? > this person is telling you that slapper is nothing to worry about because i= t's a linux only virus - but if you didn't put httpd in /tmp then you shoul= d be worried about this situation. this is probably your call what you want to do. =20 > Also, I would like to talk with you about what preventative measures you > take with herald. I know you run tripwire, but what else do you do on a > regular basis? > one thing i do is i read /var/log/messages every day. do you do that? =20 > Bret >=20 >=20 >=20 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Mark A. Garcia > Sent: Tuesday, February 08, 2005 9:57 AM > To: Bret Walker > Cc: freebsd-questions@freebsd.org > Subject: Re: httpd in /tmp - Sound advice sought >=20 >=20 > Bret Walker wrote: >=20 > >Last night, I ran chkrootkit and it gave me a warning about being > >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL up > >to version 0.96d or older on Linux systems. I have only run 0.97d. > >The file that set chkrootkit off was httpd which was located in /tmp. > >/tmp is always mounted rw, noexec. > > > >I update my packages (which are installed via ports) any time there is > >a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl > >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a > >couple of weeks, but the only code that required it to be on was in a > >.htaccess/SSL password protected directory. > > > >Tripwire didn't show anything that I noted as odd. I reexamined the > >tripwire logs, which are e-mailed to an account off of the machine > >immediately after completion, and I don't > >see anything odd for the 3/4 days before or after the date on the file. > >(I don't scan /tmp) > > > >I stupidly deleted the httpd file from /tmp, which was smaller than the > >actual apache httpd. And I don't back up /tmp. > > > >The only info I can find regarding this file being in /tmp pertains to > >Slapper. Could something have copied a file there? Could I have done > >it by mistake at some point - the server's been up ~60 days, plenty of > >time for me to forget something? > > > >This is production box that I very much want to keep up, so I'm seeking > >some sound advice. > > > >Does this box need to be rebuilt? How could a file get written to > >/tmp, and is it an issue since it couldn't be executed? I run tripwire > >nightly, and haven't seen anything odd to the best of my recollection. > >I also check ipfstat -t frequently to see if any odd connections are > >happening. > > > >I appreciate any sound advice on this matter. > > > >Thanks, > >Bret > > > > > Slapper is a linux only virus. You shouldn't have to worry about it > doing harm on your freebsd machine. Seeing as the binary was in your > tmp directory on your system, and that you might have not placed it > there, this could be a good reason for a host of other things to look > into. The httpd binary with 96d<=3D ssl is not a virus itself, just a > means to carry out the exploit. The slapper virus is a bunch of c-code > that is put in your tmp directory and the exploit allows one to compile, > chmod, and execute the code, leaving open a backdoor. >=20 > chrootkit does scan for the comparable scalper virus which is a freebsd > cousin to the slapper (in that they attempt to exploit the machine via > the apache conduit.) >=20 > I would think real hard, if you did put the httpd binary in there. If > you are sure you didn't, and you are the only one with access to the > system, then I would be very very worried. Running tripwire and > chrootkit on a periodic basis should help. Re-installing the os isn't > your only solution, but it does give comfort knowing that after a > reinstall, and locking down the box, no one has a in on your system. > This could be overboard though. >=20 > You also might want to consider enabling the clean_tmp scripts. Next > time tar up those suspicious files, a quick forensics on them can do > wonders (md5sum, timestamps, ownership, permissions.) >=20 > Cheers, > -.mag > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" --=20 Redmond Militante Software Engineer / Medill School of Journalism FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 1:30PM up 1 day, 1:21, 2 users, load averages: 0.00, 0.04, 0.19 --MGYHOYXEY6WxJCY8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFCCRa+7g+NJl/fSB0RAhRJAJ4zc4yr/GUlLBXjO/LwkMbiZ4/GlwCg0JJP ht2k/LQj3qeJxLwo0uSCfjY= =0gkZ -----END PGP SIGNATURE----- --MGYHOYXEY6WxJCY8--