From owner-freebsd-hackers@freebsd.org Wed Feb 17 15:55:28 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A939AAA9D1 for ; Wed, 17 Feb 2016 15:55:28 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id F0EB81D42 for ; Wed, 17 Feb 2016 15:55:27 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 086BDDABE for ; Wed, 17 Feb 2016 15:55:21 +0000 (UTC) Subject: =?UTF-8?Q?Re:_FreeBSD_and_Mayhem_=e2=80=93_a_hidden_threat_for_*nix?= =?UTF-8?Q?_web_servers?= To: freebsd-hackers@freebsd.org References: From: Allan Jude X-Enigmail-Draft-Status: N1110 Message-ID: <56C497EC.20704@freebsd.org> Date: Wed, 17 Feb 2016 10:55:24 -0500 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WWNu3KV5pQSiH15MEF0fslKVcUHgfnOuS" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Feb 2016 15:55:28 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --WWNu3KV5pQSiH15MEF0fslKVcUHgfnOuS Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016-02-17 09:28, Andrey Fesenko wrote: > Hello, > There is a vulnerability > https://www.virusbulletin.com/virusbulletin/2014/07/mayhem-hidden-threa= t-nix-web-servers?utm_content=3Dbuffercd266&utm_medium=3Dsocial&utm_sourc= e=3Dtwitter.com&utm_campaign=3Dbuffer > Is known methods lock and protect it from the FreeBSD? > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.o= rg" >=20 Note that that post is from 2014. Make sure you are not running a vulnerable version of popular PHP software like Wordpress, Drupal, or Joomla. If possible, keep the directories where the PHP scripts are run locked down with permissions, or better yet, a separate ZFS dataset with the readonly property turned on. Mount the /tmp directory (and possible the PHP directories) noexec, so that scripts and binaries drops by attempts to exploit your web apps will not run. As far as general advice: use jails to contain your webserver, and ZFS snapshots to be able to 'undo' anything that does happen. --=20 Allan Jude --WWNu3KV5pQSiH15MEF0fslKVcUHgfnOuS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWxJfvAAoJEBmVNT4SmAt+8gwQAKNgGZFqz3FgoPwDxjmHbt1c OzTmydXE67ipTMFzbiJJsAHGo0zp02uZXyhhxGL5KY4LiL8XQgSkqgIEfOKVR1Eo mQ88y1g7fyRIE/y4RRK8+Ka7a0FS/q165yvHj8fo9p+yz3OhZsiiK5aTiFDpiI4q 5ZDp5BEVwWWgis44rdwD7oIPwHfEgmN037xJhj/XqGvty9PWbR3+rTNnsJo8qLNN lUDCBz2q78rMa8Ig01gIW+Ikl582lRtUgzlAGwODFVNDwRLB7tH/GgccEmPAZnax P+qzSFSO6YjTpjepyDR7QtOBA20eAPW41hGEICv+sQGNOshFI5XdtMgfbynJYDS7 58cR7K/NZGeu59amru+DEK+RoNEnQ4T7QF8e1W+n6GOBbO8N5QziimatnImaysyk aio7T7OSCIDbymR6Wzw6ghOk3bLo1c/5c3TY92MRMjSZeAOPIzt6oeIm6GghyuCk ozV+VlJ2REi/7LZvazqX8eXh+C0aavg2kmqpWqBstiTSv9ciykxNRFmECwnP19dP cxo8hiy4dnkUtkOe2DK3tX8XZZmMFhrqZfivSmFplKBHFEVohA/jx3q3dwolRj0Z 2F1Phil4TlY4K6ypS9RcjrnSP6vvrqz3SbJzD7hT/KX8eWNbcEj1WXN2xErXCbnq twlYkgz7Z7nhVqzCGS/p =fNrY -----END PGP SIGNATURE----- --WWNu3KV5pQSiH15MEF0fslKVcUHgfnOuS--