httpd in /tmp - Sound advice sought
Bret Walker
bret-walker at northwestern.edu
Tue Feb 8 05:35:53 PST 2005
Last night, I ran chkrootkit and it gave me a warning about being infected
with Slapper. Slapper exploits vulnerabilities in OpenSSL up to version
0.96d or older on Linux systems. I have only run 0.97d. The file that
set chkrootkit off
was httpd which was located in /tmp. /tmp is always mounted rw, noexec.
I update my packages (which are installed via ports) any time there is a
security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a couple
of
weeks, but the only code that required it to be on was in a .htaccess/SSL
password protected directory.
Tripwire didn't show anything that I noted as odd. I reexamined the
tripwire logs,
which are e-mailed to an account off of the machine immediately after
completion, and I don't
see anything odd for the 3/4 days before or after the date on the file.
(I don't scan /tmp)
I stupidly deleted the httpd file from /tmp, which was smaller than the
actual apache httpd. And I don't back up /tmp.
The only info I can find regarding this file being in /tmp pertains to
Slapper. Could something have copied a file there? Could I have done it
by mistake at some point - the server's been up ~60 days, plenty of time
for me to forget something?
This is production box that I very much want to keep up, so I'm seeking
some sound advice.
Does this box need to be rebuilt? How could a file get written to /tmp,
and is it an issue since it couldn't be executed? I run tripwire nightly,
and haven't seen anything odd to the best of my recollection. I also
check ipfstat -t frequently to see if any odd connections are happening.
I appreciate any sound advice on this matter.
Thanks,
Bret
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3046 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050208/33b038ee/smime.bin
More information about the freebsd-questions
mailing list