From owner-freebsd-questions@FreeBSD.ORG Mon Mar 8 12:56:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1387116A4CF for ; Mon, 8 Mar 2004 12:56:11 -0800 (PST) Received: from kanga.honeypot.net (kanga.honeypot.net [208.162.254.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E60943D1F for ; Mon, 8 Mar 2004 12:56:10 -0800 (PST) (envelope-from kirk@strauser.com) Received: from pooh.strauser.com (pooh.honeypot.net [10.0.5.128]) by kanga.honeypot.net (8.12.10/8.12.10) with ESMTP id i28Ku8Zv004760 for ; Mon, 8 Mar 2004 14:56:09 -0600 (CST) (envelope-from kirk@strauser.com) To: freebsd-questions@freebsd.org References: <20040308185615.9C4CC4160BD@ws5-2.us4.outblaze.com> From: Kirk Strauser Date: Mon, 08 Mar 2004 14:56:08 -0600 In-Reply-To: <20040308185615.9C4CC4160BD@ws5-2.us4.outblaze.com> (re re's message of "Tue, 09 Mar 2004 02:56:15 +0800") Message-ID: <87y8qbkqhj.fsf@strauser.com> Lines: 45 X-Mailer: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Virus-Scanned: ClamAV version 'clamd / ClamAV version 0.65', clamav-milter version '0.60p' Subject: Re: hacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Mar 2004 20:56:11 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable At 2004-03-08T18:56:15Z, "re re" writes: > hello despite having ipfilter blocking all ports except 80 21 and 22, > tripwire, and scoring 999999 in nmap, my website got defaced. "Despite locking my door to my house, pulling the curtains, and sitting in a dark living room with a loaded gun and a Dobermann Pinscher, someone broke into my office." Your server is probably relatively secure - congratulations on proactively defending your system. However, even the most secure system in the world can run cruddy applications. If your website was running PHPNuke or something from Matt's Script Archive, then don't be surprised if your website (and possibly other files readable or writeable by the user Apache runs under) have been altered. This can be annoying, but doesn't mean that the rest of your system is 0wn3d. You mention that you have Tripwire. Excellent! The very first step is to audit that changelog like the life of your server depends on it (hint: it does). Personally, if there are more than a handful of changes to /usr/src or /usr/ports, then I'd nuke those subdirectories and repopulate them from a trusted backup or another server. Basically, don't waste hours trying to decide whether cvsup or a cracker altered /usr/ports/shells/bash2/Makefile when it's very simple to restore a known-good copy. Also, get in the habit of checking and updating your Tripwire database immediately before major file-updating processes like "make update", "make installworld", etc. That way, you can reduce a vast number of false-positives from the change list so that this is an easier task next time. Next, Keep Your Public Services Updated (tm). Don't run an old version of Apache or PHPBB if you value your security. Any skript-kiddie has an arsenal of web service attacks for popular systems. Repeat: keep up with those security patches! Good luck. It sounds like you're doing the right things. Just keep current, keep your firewall tight, don't run stuff you don't need, and keep using Tripwire. =2D-=20 Kirk Strauser "94 outdated ports on the box, 94 outdated ports. Portupgrade one, an hour 'til done, 82 outdated ports on the box." --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBATN3o5sRg+Y0CpvERAnJAAJ4r/znSGbJ9JH0/XdIc4uqVXYFyIgCbBebC GfNqXymXH+1j0Q4I0IsKxf0= =GxWB -----END PGP SIGNATURE----- --=-=-=--