Date: Tue, 8 Feb 2005 07:35:41 -0600 From: "Bret Walker" <bret-walker@northwestern.edu> To: <freebsd-questions@freebsd.org> Subject: httpd in /tmp - Sound advice sought Message-ID: <014901c50de3$15518b10$17336981@medill.northwestern.edu>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0145_01C50DB0.CA129DB0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Last night, I ran chkrootkit and it gave me a warning about being infected with Slapper. Slapper exploits vulnerabilities in OpenSSL up to version 0.96d or older on Linux systems. I have only run 0.97d. The file that set chkrootkit off was httpd which was located in /tmp. /tmp is always mounted rw, noexec. I update my packages (which are installed via ports) any time there is a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl 2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a couple of weeks, but the only code that required it to be on was in a .htaccess/SSL password protected directory. Tripwire didn't show anything that I noted as odd. I reexamined the tripwire logs, which are e-mailed to an account off of the machine immediately after completion, and I don't see anything odd for the 3/4 days before or after the date on the file. (I don't scan /tmp) I stupidly deleted the httpd file from /tmp, which was smaller than the actual apache httpd. And I don't back up /tmp. The only info I can find regarding this file being in /tmp pertains to Slapper. Could something have copied a file there? Could I have done it by mistake at some point - the server's been up ~60 days, plenty of time for me to forget something? This is production box that I very much want to keep up, so I'm seeking some sound advice. Does this box need to be rebuilt? How could a file get written to /tmp, and is it an issue since it couldn't be executed? I run tripwire nightly, and haven't seen anything odd to the best of my recollection. I also check ipfstat -t frequently to see if any odd connections are happening. I appreciate any sound advice on this matter. Thanks, Bret ------=_NextPart_000_0145_01C50DB0.CA129DB0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII2TCCAmEw ggHKoAMCAQICAwzDcDANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0EwHhcNMDQwNzI3MjMwMzM1WhcNMDUwNzI3MjMwMzM1WjBOMR8wHQYDVQQD ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSswKQYJKoZIhvcNAQkBFhxicmV0LXdhbGtlckBub3J0 aHdlc3Rlcm4uZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr2KxZcyBLN/M2+Shau42D HRCTwrVNq2aB3ke9Ulo5GCzJMgZeLPK9WeY6GEbri7OUdF7tH/FS8qCrFCXHcUwJnMx0Ifa6ILMC YRvH3H8u8W3Q4QinnVPGUwx84VDg0rFpQf79F/BS4MofBMcsucO/F1t/linKZgMvq0vOgKoP6QID AQABozkwNzAnBgNVHREEIDAegRxicmV0LXdhbGtlckBub3J0aHdlc3Rlcm4uZWR1MAwGA1UdEwEB /wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAXonUId4OXjTXG19LKdWZ7cd4LcEtJlnFan5nwj2P1p+a bEd4doxkueYJ9u4+Thn633uqHR1v1CTPuTVSt5sGXKcSG8fUeaITE0lamDOKU6lqtc0S5+/0/5tb GCcmSp02WaLAatE9Iy8OY4NmGcR2oqHx05nYSwNB50UqOBNa4ZMwggMtMIIClqADAgECAgEAMA0G CSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0 aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJl ZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcN OTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGlu ZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFp bEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbq cpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmHHYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYA o4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQID AQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTw TRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP9LpknBesRynfnZhe0mxgcVyirNx54+duAEcf tQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOpgyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KB MIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgT DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3Vs dGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMb VGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl bWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1os iRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpU hQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0f BDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxD QS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+q LZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr3 94fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAs8wggLLAgEBMGkwYjELMAkG A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMw3AwCQYFKw4DAhoFAKCCAbww GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDUwMjA4MTMzNTQwWjAj BgkqhkiG9w0BCQQxFgQUKs0SHiiRxoD5poYtdxQuvFAfNewwZwYJKoZIhvcNAQkPMVowWDAKBggq hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN AwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUweAYJKwYBBAGCNxAEMWswaTBiMQswCQYDVQQGEwJa QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwzDcDB6BgsqhkiG9w0BCRACCzFroGkwYjEL MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNV BAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMw3AwDQYJKoZIhvcNAQEB BQAEgYCoJz+iAFneEPx3f8KDKur25mV3TQ9F229GvAe2qXusAVBI5yfDIq9Q/4Njqym7THdB30y7 kyNudWzFlOdFdBDD5Bf6zW5FuM4UF0Q08fAk7NtPz04TjmEUNMETZYstqozMwLy9mLT0QZ7K+fQb SYVdEFldLJSMWl0gxjwkABek6gAAAAAAAA== ------=_NextPart_000_0145_01C50DB0.CA129DB0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014901c50de3$15518b10$17336981>