hacked

Kirk Strauser kirk at strauser.com
Mon Mar 8 12:56:11 PST 2004 

At 2004-03-08T18:56:15Z, "re re" <qt4x11 at linuxmail.org> writes:

> hello despite having ipfilter blocking all ports except 80 21 and 22,
> tripwire, and scoring 999999 in nmap, my website got defaced.

"Despite locking my door to my house, pulling the curtains, and sitting in a
dark living room with a loaded gun and a Dobermann Pinscher, someone broke
into my office."

Your server is probably relatively secure - congratulations on proactively
defending your system.  However, even the most secure system in the world
can run cruddy applications.  If your website was running PHPNuke or
something from Matt's Script Archive, then don't be surprised if your
website (and possibly other files readable or writeable by the user Apache
runs under) have been altered.  This can be annoying, but doesn't mean that
the rest of your system is 0wn3d.

You mention that you have Tripwire.  Excellent!  The very first step is to
audit that changelog like the life of your server depends on it (hint: it
does).  Personally, if there are more than a handful of changes to /usr/src
or /usr/ports, then I'd nuke those subdirectories and repopulate them from a
trusted backup or another server.  Basically, don't waste hours trying to
decide whether cvsup or a cracker altered /usr/ports/shells/bash2/Makefile
when it's very simple to restore a known-good copy.  Also, get in the habit
of checking and updating your Tripwire database immediately before major
file-updating processes like "make update", "make installworld", etc.  That
way, you can reduce a vast number of false-positives from the change list so
that this is an easier task next time.

Next, Keep Your Public Services Updated (tm).  Don't run an old version of
Apache or PHPBB if you value your security.  Any skript-kiddie has an
arsenal of web service attacks for popular systems.  Repeat: keep up with
those security patches!

Good luck.  It sounds like you're doing the right things.  Just keep
current, keep your firewall tight, don't run stuff you don't need, and keep
using Tripwire.
-- 
Kirk Strauser

"94 outdated ports on the box,
 94 outdated ports.
 Portupgrade one, an hour 'til done,
 82 outdated ports on the box."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040308/cc39c2b1/attachment.bin

More information about the freebsd-questions mailing list