Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 Feb 2005 07:35:41 -0600
From:      "Bret Walker" <bret-walker@northwestern.edu>
To:        <freebsd-questions@freebsd.org>
Subject:   httpd in /tmp - Sound advice sought
Message-ID:  <014901c50de3$15518b10$17336981@medill.northwestern.edu>

next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.

------=_NextPart_000_0145_01C50DB0.CA129DB0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Last night, I ran chkrootkit and it gave me a warning about being infected
with Slapper.  Slapper exploits vulnerabilities in OpenSSL up to version
0.96d or older on Linux systems.  I have only run 0.97d.  The file that
set chkrootkit off
was httpd which was located in /tmp.  /tmp is always mounted rw, noexec.

I update my packages (which are installed via ports) any time there is a
security update.  I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
2.8.22/OpenSSL 0.97d on 4.10.  Register_globals was on in PHP for a couple
of
weeks, but the only code that required it to be on was in a .htaccess/SSL
password protected directory.

Tripwire didn't show anything that I noted as odd.  I reexamined the
tripwire logs,
which are e-mailed to an account off of the machine immediately after
completion, and I don't
see anything odd for the 3/4 days before or after the date on the file.
(I don't scan /tmp)

I stupidly deleted the httpd file from /tmp, which was smaller than the
actual apache httpd.  And I don't back up /tmp.

The only info I can find regarding this file being in /tmp pertains to
Slapper.  Could something have copied a file there?  Could I have done it
by mistake at some point - the server's been up ~60 days, plenty of time
for me to forget something?

This is production box that I very much want to keep up, so I'm seeking
some sound advice.

Does this box need to be rebuilt?  How could a file get written to /tmp,
and is it an issue since it couldn't be executed?  I run tripwire nightly,
and haven't seen anything odd to the best of my recollection.  I also
check ipfstat -t frequently to see if any odd connections are happening.

I appreciate any sound advice on this matter.

Thanks,
Bret

------=_NextPart_000_0145_01C50DB0.CA129DB0
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII2TCCAmEw
ggHKoAMCAQICAwzDcDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt
YWlsIElzc3VpbmcgQ0EwHhcNMDQwNzI3MjMwMzM1WhcNMDUwNzI3MjMwMzM1WjBOMR8wHQYDVQQD
ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSswKQYJKoZIhvcNAQkBFhxicmV0LXdhbGtlckBub3J0
aHdlc3Rlcm4uZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr2KxZcyBLN/M2+Shau42D
HRCTwrVNq2aB3ke9Ulo5GCzJMgZeLPK9WeY6GEbri7OUdF7tH/FS8qCrFCXHcUwJnMx0Ifa6ILMC
YRvH3H8u8W3Q4QinnVPGUwx84VDg0rFpQf79F/BS4MofBMcsucO/F1t/linKZgMvq0vOgKoP6QID
AQABozkwNzAnBgNVHREEIDAegRxicmV0LXdhbGtlckBub3J0aHdlc3Rlcm4uZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAXonUId4OXjTXG19LKdWZ7cd4LcEtJlnFan5nwj2P1p+a
bEd4doxkueYJ9u4+Thn633uqHR1v1CTPuTVSt5sGXKcSG8fUeaITE0lamDOKU6lqtc0S5+/0/5tb
GCcmSp02WaLAatE9Iy8OY4NmGcR2oqHx05nYSwNB50UqOBNa4ZMwggMtMIIClqADAgECAgEAMA0G
CSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD
VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0
aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJl
ZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcN
OTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGlu
ZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFp
bEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbq
cpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmHHYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYA
o4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQID
AQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTw
TRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP9LpknBesRynfnZhe0mxgcVyirNx54+duAEcf
tQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOpgyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KB
MIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs
dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMb
VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl
bWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1os
iRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpU
hQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0f
BDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxD
QS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy
LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+q
LZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr3
94fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAs8wggLLAgEBMGkwYjELMAkG
A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMw3AwCQYFKw4DAhoFAKCCAbww
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUwMjA4MTMzNTQwWjAj
BgkqhkiG9w0BCQQxFgQUKs0SHiiRxoD5poYtdxQuvFAfNewwZwYJKoZIhvcNAQkPMVowWDAKBggq
hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN
AwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUweAYJKwYBBAGCNxAEMWswaTBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwzDcDB6BgsqhkiG9w0BCRACCzFroGkwYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV
BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMw3AwDQYJKoZIhvcNAQEB
BQAEgYCoJz+iAFneEPx3f8KDKur25mV3TQ9F229GvAe2qXusAVBI5yfDIq9Q/4Njqym7THdB30y7
kyNudWzFlOdFdBDD5Bf6zW5FuM4UF0Q08fAk7NtPz04TjmEUNMETZYstqozMwLy9mLT0QZ7K+fQb
SYVdEFldLJSMWl0gxjwkABek6gAAAAAAAA==

------=_NextPart_000_0145_01C50DB0.CA129DB0--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014901c50de3$15518b10$17336981>