[Techtalk] Re: Server was hacked into;
looking for tips on how to secure it
jennyw
jennyw at dangerousideas.com
Mon Mar 3 15:56:09 EST 2003
On Tue, Feb 25, 2003 at 07:11:01PM -0500, Raven Alder wrote:
> Slowly working through my mail... [grin]
Me, too. Finally got my mail server up at least! Having e-mail queue up at an
ISP's mailbox is not so much fun when one gets 1000+ messages a day from mailing
lists, but now mail has been restored to the new server and procmail is churning
away.
> http://www.apache.org/dist/httpd/Announcement.html -- looks like there
> were three security vulnerabilities in 1.3.26 that were fixed in 1.3.27.
> Might want to upgrade to 1.3.27 when you rebuild the box.
>
> Out of curiosity, are you running stable, unstable, testing, or
> what?
Interesting. I'm using Debian stable and get the security updates regularly. I
guess they might have let this one slip? Or not -- it's hard to tell without
bringing the box back up (still waiting for the others involved in this to tell me
whether they want the disk drive as evidence for a court case; did I mention the
whole story earlier?).
> > PHP 4.1.2-6
>
> There's definitely a DoS exploit out there for Apache 1.3.26/PHP
> 4.1.2 on Linux x86 (I'm assuming that's you?)
>
> http://www.kodsweb.ru/exploits/pack2/D.o.S_exploit_for_PHP_4.2.0_4.2.1_with_Apache_1.3.26_on_Linux_x86.txt
>
> And where there's one, there are probably others.
>
> Patch, patch, patch. [wry grin]
Yep, I know. I thought apt-get dist-upgrade would work for that, but now I'll be
more vigilant. Of course, I'll feel even more vulnerable if it turns out that I did
have the latest patches -- it's a lot nicer when you know how they did whatever
they did.
I'll do as you suggest ... once I get the go ahead to bring the box back up, I'll
check for open ports. Then I'll try to see if any of the exploits for php/apache
will get me a shell.
For now, I'm only opening up DNS and mail on my home server, and am running the Web
sites at a host. I want to make sure I can secure the Web sites before putting
them back on their regular home.
By the way, even if I chroot the server, if it was compromised, could it still send
spam through 127.0.0.1? Is there a way to control this through a firewall or
postfix?
Thanks!
Jen
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk
More information about the Techtalk
mailing list