From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 13:32:25 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB4B816A41F for ; Thu, 11 Aug 2005 13:32:25 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from imf18aec.mail.bellsouth.net (imf18aec.mail.bellsouth.net [205.152.59.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FCC443D45 for ; Thu, 11 Aug 2005 13:32:25 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from ibm59aec.bellsouth.net ([68.219.111.196]) by imf18aec.mail.bellsouth.net with ESMTP id <20050811133224.VVOU27308.imf18aec.mail.bellsouth.net@ibm59aec.bellsouth.net> for ; Thu, 11 Aug 2005 09:32:24 -0400 Received: from [192.168.1.4] (really [68.219.111.196]) by ibm59aec.bellsouth.net with ESMTP id <20050811133224.RGUH9925.ibm59aec.bellsouth.net@[192.168.1.4]> for ; Thu, 11 Aug 2005 09:32:24 -0400 Mime-Version: 1.0 (Apple Message framework v733) Content-Transfer-Encoding: 7bit Message-Id: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Ken Hawkins Date: Thu, 11 Aug 2005 09:32:22 -0400 X-Mailer: Apple Mail (2.733) Subject: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 13:32:26 -0000 many, MANY apologies up front if i have sent this to the wrong place! I am inherently a software engineer who now gets to monitor a mail server (don't ask). anyway i get an email message that alerts me from a user that we have been hacked by a spammer and the mail message header is: ------------- Forwarded message follows ------------- X-Auth-No: Return-Path: Received: from web1.prosoundweb.com [64.73.50.193] by compudox.com with Novonyx SMTP Server $Revision: 2.75.1.9 $; Wed, 10 Aug 2005 14:25:40 -0700 (PDT) Received: from web1.prosoundweb.com (localhost.prosoundweb.com [127.0.0.1]) by web1.prosoundweb.com (8.13.3/8.13.3) with ESMTP id j7AJiZZF016410; Wed, 10 Aug 2005 14:47:04 -0500 (CDT) (envelope-from www@web1.prosoundweb.com) Received: (from www@localhost) by web1.prosoundweb.com (8.13.3/8.13.3/Submit) id j7AINncm031958; Wed, 10 Aug 2005 13:23:49 -0500 (CDT) (envelope-from www) To: webmaster@prosoundweb.com Subject: All warez and porno in one place Reply-to: webmaster@prosoundweb.com From: webmaster@prosoundweb.com Message-ID: MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit Date: Wed, 10 Aug 2005 13:23:49 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: PHP X-MimeOLE: Produced By phpBB2 X-AntiAbuse: Board servername - srforum.prosoundweb.com X-AntiAbuse: User_id - 2 X-AntiAbuse: Username - admin X-AntiAbuse: User IP - 62.105.6.113 it appears that someone has hacked the www password. at least i think, and here is where the questions start.... am i correct in thinking that someone has hacked the www password and has used the phpBB2 functionality (forum nightmare) to send spam mail out? what can i do about it other than have the www password changed? if i change it will this action at least deter the spammer? what else will this affect by changing the password? can anyone shoot me a URL / example / explanation of how to button up this hole? THANK YOU, THANK YOU, THANK YOU in advance! ken; From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 13:46:58 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFC6016A41F for ; Thu, 11 Aug 2005 13:46:58 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from kweetal.tue.nl (kweetal.tue.nl [131.155.3.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5702F43D5D for ; Thu, 11 Aug 2005 13:46:53 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from localhost (localhost [127.0.0.1]) by kweetal.tue.nl (Postfix) with ESMTP id 43D0613B76E; Thu, 11 Aug 2005 15:46:52 +0200 (CEST) Received: from kweetal.tue.nl ([127.0.0.1]) by localhost (kweetal.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87517-10; Thu, 11 Aug 2005 15:46:51 +0200 (CEST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by kweetal.tue.nl (Postfix) with ESMTP id 1A63513B780; Thu, 11 Aug 2005 15:46:51 +0200 (CEST) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.13.4/8.13.4/Submit) id j7BDkoQm029298; Thu, 11 Aug 2005 15:46:50 +0200 (CEST) (envelope-from stijn) Date: Thu, 11 Aug 2005 15:46:50 +0200 From: Stijn Hoop To: Ken Hawkins Message-ID: <20050811134650.GC26471@pcwin002.win.tue.nl> References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP" Content-Disposition: inline In-Reply-To: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> User-Agent: Mutt/1.4.2.1i X-Bright-Idea: Let's abolish HTML mail! X-Virus-Scanned: amavisd-new at tue.nl Cc: freebsd-security@freebsd.org Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 13:46:59 -0000 --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 11, 2005 at 09:32:22AM -0400, Ken Hawkins wrote: > we have been hacked by a spammer [snip] > X-AntiAbuse: Board servername - srforum.prosoundweb.com Ouch. You appear to be running a phpBB installation from 2002 (version 2.0.6). That's asking for trouble. A lot of exploits have been found in phpBB since that time, see http://www.phpbb.com/support/documents.php?mode=3Dchangelog and http://www.vuxml.org/freebsd/pkg-phpbb.html There are lots of automated scripts running on already compromised machines that scan other machines for these vulnerabilities. Assuming that is how the spammer got in, there is no telling what he has done after that. You must assume that your machine has been fully compromised. The only way to know for sure that your machine is clean again is to build a new machine from scratch and transfer all your _non-executable_ data to it. You _might_ be able to get away with identifying any and all processes, removing suspicious data from /tmp, /var/tmp and any other OS place, changing passwords on _all_ accounts (but especially sensitive ones like root, your own and www). But you might not find the one backdoor that the spammer left and then you're back to square one again. It's your choice. To prevent this from happening, perform regular port updates and make sure to subscribe to the announcement list of highprofile publicly accessible software that you run. Good luck. --Stijn --=20 A "No" uttered from deepest conviction is better and greater than a "Yes" merely uttered to please, or what is worse, to avoid trouble. -- Mahatma Ghandi --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFC+1bKY3r/tLQmfWcRAjHbAJ99kYDIno6CZacSVDUBLiyyxv6UhwCfe2PD 0zdsXE9ysi1OVTldLWofWTA= =NyMM -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 14:50:28 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1EE416A41F for ; Thu, 11 Aug 2005 14:50:28 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: from mail.ihosting.be (vero.ihosting.be [83.217.81.43]) by mx1.FreeBSD.org (Postfix) with SMTP id 4E1FE43D53 for ; Thu, 11 Aug 2005 14:50:26 +0000 (GMT) (envelope-from jimmy@inet-solutions.be) Received: (qmail 77906 invoked by uid 1033); 11 Aug 2005 14:54:11 -0000 Received: from jimmy@inet-solutions.be by excalibur.hyprotech.be by uid 1016 with qmail-scanner-1.20st (clamscan: 0.75. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 0.15198 secs); 11 Aug 2005 14:54:11 -0000 Received: from localhost (HELO vero.ihosting.be) (127.0.0.1) by mail.ihosting.be with SMTP; 11 Aug 2005 14:54:11 -0000 Received: (from jimmy@inet-solutions.be) by vero.ihosting.be (mini_sendmail/1.3.5 16nov2003); Thu, 11 Aug 2005 16:54:10 CEST (sender jimmy@inet-solutions.be by using webserver vero.ihosting.be path /www/ihosting/horde.ihosting.be/imp - report abuse to abuse@boxke.be) Received: from 193.109.72.26 ([193.109.72.26]) by webmail.boxke.be (IMP) with HTTP for ; Thu, 11 Aug 2005 16:54:10 +0200 Message-ID: <1123772050.42fb669291ae3@webmail.boxke.be> Date: Thu, 11 Aug 2005 16:54:10 +0200 From: jimmy@inet-solutions.be To: Stijn Hoop References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> In-Reply-To: <20050811134650.GC26471@pcwin002.win.tue.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.3 X-Originating-IP: 193.109.72.26 Cc: freebsd-security@freebsd.org, Ken Hawkins Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 14:50:28 -0000 Quoting Stijn Hoop : > On Thu, Aug 11, 2005 at 09:32:22AM -0400, Ken Hawkins wrote: > > we have been hacked by a spammer > > [snip] > > > X-AntiAbuse: Board servername - srforum.prosoundweb.com > > Ouch. You appear to be running a phpBB installation from 2002 (version > 2.0.6). That's asking for trouble. A lot of exploits have been found > in phpBB since that time, see > > http://www.phpbb.com/support/documents.php?mode=changelog > > and > > http://www.vuxml.org/freebsd/pkg-phpbb.html > > There are lots of automated scripts running on already compromised > machines that scan other machines for these vulnerabilities. Assuming > that is how the spammer got in, there is no telling what he has done > after that. > > You must assume that your machine has been fully compromised. The > only way to know for sure that your machine is clean again is to build > a new machine from scratch and transfer all your _non-executable_ data > to it. > > You _might_ be able to get away with identifying any and all > processes, removing suspicious data from /tmp, /var/tmp and any other > OS place, changing passwords on _all_ accounts (but especially > sensitive ones like root, your own and www). But you might not find > the one backdoor that the spammer left and then you're back to square > one again. > > It's your choice. > > To prevent this from happening, perform regular port updates and make > sure to subscribe to the announcement list of highprofile publicly > accessible software that you run. > > Good luck. > > --Stijn > > -- > A "No" uttered from deepest conviction is better and greater than a > "Yes" merely uttered to please, or what is worse, to avoid trouble. > -- Mahatma Ghandi > If the box in question was local secure, you don't have to worry that much. If it's a long time since you've updated your base, are sloppy with passwords on the box in question, haven't updated your daemons/setuid packages in weeks, then the box should be concidered a total loss. Just think in terms as "what are the possible things I could do if my UID were 'www'" I for example have webservers running in chroot, on a partition that is nosuid, and starred out password for the user 'www'. The thing you describing happens sometimes because users do not update there phpbb's either. I'm not affraid since the kiddo would have the same access than a customer, which I cannot trust either. If you don't know the box IS secure, it isn't, there is a lot of work involved in keeping things like this "under controle". Kind Regards, Jimmy Scott ---------------------------------------------------------------- This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to abuse@ihosting.be ---------------------------------------------------------------- From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 15:05:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9744E16A420 for ; Thu, 11 Aug 2005 15:05:48 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pastinakel.tue.nl (pastinakel.tue.nl [131.155.2.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id C44BD43D53 for ; Thu, 11 Aug 2005 15:05:47 +0000 (GMT) (envelope-from stijn@pcwin002.win.tue.nl) Received: from localhost (localhost [127.0.0.1]) by pastinakel.tue.nl (Postfix) with ESMTP id EF19514BB8C; Thu, 11 Aug 2005 17:05:46 +0200 (CEST) Received: from pastinakel.tue.nl ([127.0.0.1]) by localhost (pastinakel.tue.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25951-01-4; Thu, 11 Aug 2005 17:05:24 +0200 (CEST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by pastinakel.tue.nl (Postfix) with ESMTP id BB2D514BC66; Thu, 11 Aug 2005 17:04:34 +0200 (CEST) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.13.4/8.13.4/Submit) id j7BF4YYP029807; Thu, 11 Aug 2005 17:04:34 +0200 (CEST) (envelope-from stijn) Date: Thu, 11 Aug 2005 17:04:34 +0200 From: Stijn Hoop To: jimmy@inet-solutions.be Message-ID: <20050811150434.GD26471@pcwin002.win.tue.nl> References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> <1123772050.42fb669291ae3@webmail.boxke.be> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4SFOXa2GPu3tIq4H" Content-Disposition: inline In-Reply-To: <1123772050.42fb669291ae3@webmail.boxke.be> User-Agent: Mutt/1.4.2.1i X-Bright-Idea: Let's abolish HTML mail! X-Virus-Scanned: amavisd-new at tue.nl Cc: freebsd-security@freebsd.org, Ken Hawkins Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 15:05:48 -0000 --4SFOXa2GPu3tIq4H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy@inet-solutions.be wrote: > If the box in question was local secure, you don't have to worry that muc= h. Correct of course, but seeing as the OP admitted to not knowing a lot about the administration of this machine, I don't think local security was very high. > If it's a long time since you've updated your base, are sloppy with passw= ords > on the box in question, haven't updated your daemons/setuid packages in w= eeks, > then the box should be concidered a total loss. >=20 > Just think in terms as "what are the possible things I could do if my UID= were > 'www'" There might be some less obvious things, especially if the base OS is as far behind as the phpBB installation. > I for example have webservers running in chroot, on a partition that is > nosuid, and starred out password for the user 'www'. The thing you > describing happens sometimes because users do not update there phpbb's > either. I'm not affraid since the kiddo would have the same access than a > customer, which I cannot trust either. If you don't know the box IS secur= e, > it isn't, there is a lot of work involved in keeping things like this > "under controle". Totally true, and good advice for setting up access for customers / etc. --Stijn --=20 Coughlin's law: never show surprise, never lose your cool. -- Cocktail --4SFOXa2GPu3tIq4H Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFC+2kCY3r/tLQmfWcRAm9bAJ92lyAyGDaWGibKPe8531yU9diGQwCgoODr BFjCs9emTPDA1ElqugjLPYQ= =1c74 -----END PGP SIGNATURE----- --4SFOXa2GPu3tIq4H-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 15:32:54 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7658A16A41F for ; Thu, 11 Aug 2005 15:32:54 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from imf19aec.mail.bellsouth.net (imf19aec.mail.bellsouth.net [205.152.59.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id D448043D46 for ; Thu, 11 Aug 2005 15:32:53 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from ibm60aec.bellsouth.net ([68.219.111.196]) by imf19aec.mail.bellsouth.net with ESMTP id <20050811153253.FZYS28108.imf19aec.mail.bellsouth.net@ibm60aec.bellsouth.net> for ; Thu, 11 Aug 2005 11:32:53 -0400 Received: from [192.168.1.4] (really [68.219.111.196]) by ibm60aec.bellsouth.net with ESMTP id <20050811153249.ERHS3347.ibm60aec.bellsouth.net@[192.168.1.4]> for ; Thu, 11 Aug 2005 11:32:49 -0400 Mime-Version: 1.0 (Apple Message framework v733) In-Reply-To: <20050811150434.GD26471@pcwin002.win.tue.nl> References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> <1123772050.42fb669291ae3@webmail.boxke.be> <20050811150434.GD26471@pcwin002.win.tue.nl> Message-Id: <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com> From: Ken Hawkins Date: Thu, 11 Aug 2005 11:32:44 -0400 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.733) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 15:32:54 -0000 The box is secure that much i have found out. the only problems have been with this email spamming. nothing in the tmp dirs out of the ordinary and no missing files running scripts etc. I have changed everyone passwords on the box. *'d the www password, ensured there is no shell with the www user, etc. i am in the process of upgrading the ports now and there are problems (of course). the ports seem to have been mangled as the listing in / var/db/ports does not match what i KNOW is running on the box. The person i have inherited this from manually deleted from the /var/db/ ports to get some of the applications to re-install! gotta love that! well here i come port fix hell! This is a production box and can't be taken off line as of this moment so i am going to have to attempt on the fly fixing / upgrading of the ports. i would love to wipe it but it is just not a possibility right now. thanks for all your help and insight. even those of you who tried to tell me I was lost... :) ken; Ken Hawkins Product Manager/Software Development Broadjam Inc. 313 W. Beltline Hwy, Suite 147 Madison, WI 53713 P: 404-323-7493 F: 608-273-3635 W: www.broadjam.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Broadjam Web Hosting for Musicians Now featuring links, guestbook, news page and more customization. Only at www.broadjam.com/hosting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Aug 11, 2005, at 11:04 AM, Stijn Hoop wrote: > On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy@inet-solutions.be > wrote: > >> If the box in question was local secure, you don't have to worry >> that much. >> > > Correct of course, but seeing as the OP admitted to not knowing a > lot about > the administration of this machine, I don't think local security > was very > high. > > >> If it's a long time since you've updated your base, are sloppy >> with passwords >> on the box in question, haven't updated your daemons/setuid >> packages in weeks, >> then the box should be concidered a total loss. >> >> Just think in terms as "what are the possible things I could do if >> my UID were >> 'www'" >> > > There might be some less obvious things, especially if the base OS is > as far behind as the phpBB installation. > > >> I for example have webservers running in chroot, on a partition >> that is >> nosuid, and starred out password for the user 'www'. The thing you >> describing happens sometimes because users do not update there >> phpbb's >> either. I'm not affraid since the kiddo would have the same access >> than a >> customer, which I cannot trust either. If you don't know the box >> IS secure, >> it isn't, there is a lot of work involved in keeping things like this >> "under controle". >> > > Totally true, and good advice for setting up access for customers / > etc. > > --Stijn > > -- > Coughlin's law: never show surprise, never lose your cool. > -- Cocktail > From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 15:50:25 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF05E16A423 for ; Thu, 11 Aug 2005 15:50:25 +0000 (GMT) (envelope-from yann@raven.kierun.org) Received: from raven.kierun.org (raven.yorksj.ac.uk [193.61.234.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 437AC43D49 for ; Thu, 11 Aug 2005 15:50:25 +0000 (GMT) (envelope-from yann@raven.kierun.org) Received: from yann by raven.kierun.org with local (Exim 4.52 (FreeBSD)) id 1E3FK3-000Lmi-Lb; Thu, 11 Aug 2005 16:50:23 +0100 Date: Thu, 11 Aug 2005 16:50:23 +0100 From: Yann Golanski To: Ken Hawkins Message-ID: <20050811155023.GA83536@kierun.org> References: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> <20050811134650.GC26471@pcwin002.win.tue.nl> <1123772050.42fb669291ae3@webmail.boxke.be> <20050811150434.GD26471@pcwin002.win.tue.nl> <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e" Content-Disposition: inline In-Reply-To: <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com> User-Agent: Mutt/1.5.9i Sender: "Yann Golanski, University of York, +44(0)1904-433088" Cc: freebsd-security@freebsd.org Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 15:50:26 -0000 --cNdxnHkX5QqsyA0e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoth Ken Hawkins on Thu, Aug 11, 2005 at 11:32:44 -0400 > The box is secure that much i have found out. the only problems have =20 > been with this email spamming. nothing in the tmp dirs out of the =20 > ordinary and no missing files running scripts etc. I have changed =20 > everyone passwords on the box. *'d the www password, ensured there is =20 > no shell with the www user, etc. Have you run chkrootkit on it? =20 > i am in the process of upgrading the ports now and there are problems =20 > (of course). the ports seem to have been mangled as the listing in /=20 > var/db/ports does not match what i KNOW is running on the box. The =20 > person i have inherited this from manually deleted from the /var/db/=20 > ports to get some of the applications to re-install! gotta love that! ICK! Make sure you database is fine otherwise, you'll get into no end of trouble.=20 =20 > well here i come port fix hell! This is a production box and can't be =20 > taken off line as of this moment so i am going to have to attempt on =20 > the fly fixing / upgrading of the ports. i would love to wipe it but =20 > it is just not a possibility right now. Oh dear. How about living it as is -- minus the spam emailer -- and rebuilding another one to replace it? =20 =20 --=20 yann@kierun.org -=3D*=3D- www.kierun.= org PGP: 009D 7287 C4A7 FD4F 1680 06E4 F751 7006 9DE2 6318 --cNdxnHkX5QqsyA0e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFC+3O/91FwBp3iYxgRAi9uAKCWP+0Ze2dbT6+boa640reKQiLBwgCfRaLL FANRn3l1rZIJpd7Jc4QKigE= =L38G -----END PGP SIGNATURE----- --cNdxnHkX5QqsyA0e-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 16:12:30 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC9C016A41F for ; Thu, 11 Aug 2005 16:12:30 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: from web41204.mail.yahoo.com (web41204.mail.yahoo.com [66.218.93.37]) by mx1.FreeBSD.org (Postfix) with SMTP id 5547743D45 for ; Thu, 11 Aug 2005 16:12:30 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 72114 invoked by uid 60001); 11 Aug 2005 16:12:30 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=36Ax26purJ/eOkffnr4C9T+XpZC5dt9MXB2wN8hrQ2u38MQuI7JFa4HNM0xCewnml2ReJs4XtBZ4BSzCWdkkVbeL78g2peZDUCFya7+x7NtImOZZUyb2x5D5utdAUOXuR4j8rQActno0fmrwHV2N5zGIdiVLvMZgwlwp7nVC4w8= ; Message-ID: <20050811161230.72112.qmail@web41204.mail.yahoo.com> Received: from [213.54.91.124] by web41204.mail.yahoo.com via HTTP; Thu, 11 Aug 2005 09:12:30 PDT Date: Thu, 11 Aug 2005 09:12:30 -0700 (PDT) From: Arne "Wörner" To: Ken Hawkins , freebsd-security@freebsd.org In-Reply-To: <32C41BA6-A923-4A01-B332-8B73E39561B1@rosewoodblues.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 16:12:30 -0000 --- Ken Hawkins wrote: > well here i come port fix hell! This is a production box > and can't be taken off line as of this moment so i am > going to have to attempt on the fly fixing / upgrading > of the ports. i would love to wipe it but it is just > not a possibility right now. > What about this plan (I call it alan-parson-project): 1. installing everything to a cold-standby box (new box) 2. testing if everything would work fine... :-) (3. tranfering the database) 4. halting the production system (5. transfering the brand new database updates) 6. making the new box the old box (by changing the IP or DNS or so)... -Arne -- Arne likes Austin Powers and Mr. Anderson's black thumb nail in The Matrix... ;-)) ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 16:26:05 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F39416A41F for ; Thu, 11 Aug 2005 16:26:05 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from imf17aec.mail.bellsouth.net (imf17aec.mail.bellsouth.net [205.152.59.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FBD943D53 for ; Thu, 11 Aug 2005 16:26:04 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from ibm57aec.bellsouth.net ([68.219.111.196]) by imf17aec.mail.bellsouth.net with ESMTP id <20050811162604.YHSD4819.imf17aec.mail.bellsouth.net@ibm57aec.bellsouth.net> for ; Thu, 11 Aug 2005 12:26:04 -0400 Received: from [192.168.1.4] (really [68.219.111.196]) by ibm57aec.bellsouth.net with ESMTP id <20050811162603.FDMY4854.ibm57aec.bellsouth.net@[192.168.1.4]>; Thu, 11 Aug 2005 12:26:03 -0400 In-Reply-To: <20050811161230.72112.qmail@web41204.mail.yahoo.com> References: <20050811161230.72112.qmail@web41204.mail.yahoo.com> Mime-Version: 1.0 (Apple Message framework v733) Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: Ken Hawkins Date: Thu, 11 Aug 2005 12:25:58 -0400 To: =?ISO-8859-1?Q?Arne_"W=F6rner"?= X-Mailer: Apple Mail (2.733) Cc: freebsd-security@freebsd.org Subject: Re: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 16:26:05 -0000 that is (almost) exactly what i am going to do. it is going as is =20 till i get another box in place..... ken; On Aug 11, 2005, at 12:12 PM, Arne W=F6rner wrote: > --- Ken Hawkins wrote: > >> well here i come port fix hell! This is a production box >> and can't be taken off line as of this moment so i am >> going to have to attempt on the fly fixing / upgrading >> of the ports. i would love to wipe it but it is just >> not a possibility right now. >> >> > What about this plan (I call it alan-parson-project): > 1. installing everything to a cold-standby box (new box) > 2. testing if everything would work fine... :-) > (3. tranfering the database) > 4. halting the production system > (5. transfering the brand new database updates) > 6. making the new box the old box (by changing the IP or DNS or > so)... > > -Arne > > -- > Arne likes Austin Powers and Mr. Anderson's black thumb nail in > The Matrix... ;-)) > > > > ____________________________________________________ > Start your day with Yahoo! - make it your home page > http://www.yahoo.com/r/hs > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-=20 > unsubscribe@freebsd.org" >