Date: Tue, 8 Feb 2005 07:35:41 -0600 From: "Bret Walker" <bret-walker@northwestern.edu> To: <freebsd-questions@freebsd.org> Subject: httpd in /tmp - Sound advice sought Message-ID: <014901c50de3$15518b10$17336981@medill.northwestern.edu>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Last night, I ran chkrootkit and it gave me a warning about being infected
with Slapper. Slapper exploits vulnerabilities in OpenSSL up to version
0.96d or older on Linux systems. I have only run 0.97d. The file that
set chkrootkit off
was httpd which was located in /tmp. /tmp is always mounted rw, noexec.
I update my packages (which are installed via ports) any time there is a
security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a couple
of
weeks, but the only code that required it to be on was in a .htaccess/SSL
password protected directory.
Tripwire didn't show anything that I noted as odd. I reexamined the
tripwire logs,
which are e-mailed to an account off of the machine immediately after
completion, and I don't
see anything odd for the 3/4 days before or after the date on the file.
(I don't scan /tmp)
I stupidly deleted the httpd file from /tmp, which was smaller than the
actual apache httpd. And I don't back up /tmp.
The only info I can find regarding this file being in /tmp pertains to
Slapper. Could something have copied a file there? Could I have done it
by mistake at some point - the server's been up ~60 days, plenty of time
for me to forget something?
This is production box that I very much want to keep up, so I'm seeking
some sound advice.
Does this box need to be rebuilt? How could a file get written to /tmp,
and is it an issue since it couldn't be executed? I run tripwire nightly,
and haven't seen anything odd to the best of my recollection. I also
check ipfstat -t frequently to see if any odd connections are happening.
I appreciate any sound advice on this matter.
Thanks,
Bret
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��0a0ʠ
p0
*H
�0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
040727230335Z
050727230335Z0N1 0
UThawte Freemail Member1+0) *H
bret-walker@northwestern.edu00
*H
��0�جYs K76(Z
µMfGRZ9,2^,Y:F닳t^ R%qL t! a.mSS
|PұiAR ,ÿ[)f/K�9070'U
0
bret-walker@northwestern.edu0
U
0�0
*H
��^!^4_K)ՙx--&Yj~g=֟lGxvd >N{
o$Ϲ5R\yIZ3Sj['&J6Yj=#/cfvәKAE*8Z0-0�0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
960101000000Z
201231235959Z01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com00
*H
��0�id[qG
Qr^}-
{߅%u(t:B,c'{K~
ݹΖdnD|Mq @8�x^^v]nz|
KU)&j8$jDZڣyZ
�00U
00
*H
��~Ngb*M`o`Xa&R5\0J bB#dG)ߝ^l`q\yn�G
(|_#& sC%/u
Qkw0?0
0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
030717000000Z
130716235959Z0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
*H
��0�Ħ<UsUNʙZ
hup
[v
:aQP
0cZ,p+Z?qV˯<
6$*+w=+>@dקe*TH<a@
dr`�00U
0�0CU
<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0
U
0)U
"0
0
10UPrivateLabel2-1380
*H
��HP
.
fgCL!6 -6/
P p<ab:~�
t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$
F]_eO100i0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA
p0 +�0 *H
1
*H
0
*H
1
050208133540Z0# *H
1*
(ƀ-w.P 50g *H
1Z0X0
*H
0*H
�0
*H
@0+0
*H
(0+0
*H
0x +71k0i0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA
p0z
*H
1ki0b1
0 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA
p0
*H
�'?�Yw*ewMEoF{PH'"Pc)LwAL#nulŔEtnED4$ONa4e-AI]Y],Z] <$�������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014901c50de3$15518b10$17336981>