[Techtalk] Server was hacked into; looking for tips on how to
jennyw at dangerousideas.com
Sun Feb 23 23:36:59 EST 2003
Thanks for the suggestions. I'll take a look at some of them ... But for now
I'm curious as to what exploits there are against the system. More info:
Debian GNU/Linux 3.0 (Woody); I use apt-get dist-upgrade regularly to get
securtiy patches. Apache 1.3.26-0woody3, lib-apache-mod-ssl 2.8.9-2.1, PHP
4.1.2-6, php4-mysql 4.1.2-6, php4-pear 4.1.2-6, mysql 3.23.49-8.2, bind
About Postfix being configured for an open relay -- it wasn't. I checked
with orbsdb and others to make sure, and also sent my config to
postfix-users to hear expert opinions, and everyone agreed that it was not
an open relay. The reason mail got through was because (according to logs)
mail was sent either from 127.0.0.1 or 127.0.0.50 (I didn't look at all
entries). Also, there were processes running as www-data that shouldn't
have been (whoami, ps, dig), and there was even a process running as root
that I know shouldn't have been there.
I'm really perplexed as to how they got in because I had deliberately pared
down the Web sites (only PostNuke used either PHP4 or MySQL, and it was the
latest version at that). I don't think there are known exploits against
BIND 9, although there were against BIND 8. I know of no exploits at all
for Postfix to get someone root access.
But since many processes were running as www-data, I think they got in
through the Web site. I'll research more ways of running Apache, but I'm in
a difficult position since I had several sites on the server for other
people and I'd like to get it up as soon as possible. Maybe there's a way to
run Apache in a chroot jail or something? Of course, I barely understand
what that term means.
On 2/23/03 9:44 PM, "Jessica Smith" <crystalsinger at mail.com> wrote:
> Hi again Jen,
> I should also mention that tools which allow you to "eyeball" your server
> can also be useful for managing security. I have HotSaNIC on my server, and
> although it's not really a security tool I have caught unusual data
> spikes/CPU usage, etc., which have helped me to spot things that are
> candidates for security problems.
> My server hasn't been hacked yet - so far as I know - but it's reassuring
> to have a few different ways of "seeing what's going on" on your server,
> and an eyeopener to realise just how many script-kiddies are out there
> trying to find an easy way in.
> Of course, the *really* scary spooks are the ones that you'll never know
> were there... :-)
More information about the Techtalk