httpd in /tmp - Sound advice sought
r-militante at northwestern.edu
Tue Feb 8 11:41:04 PST 2005
[Tue, Feb 08, 2005 at 10:46:19AM -0600]
This one time, at band camp, Bret Walker said:
> Here is the response I got from the list.
> I also found another file - shellbind.c - it's essentially this -
> (although phpBB has never been installed).
> I had register_globals on in PHP for a month+ because a reservation system
> I was using required them. I now know better. We also had php errors set
> to display for a while as bugs were being worked out.
> The owner of this file is www, so it was put in /tmp by the apache daemon.
> I messed the file up trying to tar it, so I can't get a good md5.
> Register globals and php file uploads are both off now. I don't think the
> system was compromised because anything written to /tmp (which is the temp
> dir php defaults to) could not be executed.
> Do you think we're safe to continue as is?
this person is telling you that slapper is nothing to worry about because it's a linux only virus - but if you didn't put httpd in /tmp then you should be worried about this situation.
this is probably your call what you want to do.
> Also, I would like to talk with you about what preventative measures you
> take with herald. I know you run tripwire, but what else do you do on a
> regular basis?
one thing i do is i read /var/log/messages every day. do you do that?
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Mark A. Garcia
> Sent: Tuesday, February 08, 2005 9:57 AM
> To: Bret Walker
> Cc: freebsd-questions at freebsd.org
> Subject: Re: httpd in /tmp - Sound advice sought
> Bret Walker wrote:
> >Last night, I ran chkrootkit and it gave me a warning about being
> >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL up
> >to version 0.96d or older on Linux systems. I have only run 0.97d.
> >The file that set chkrootkit off was httpd which was located in /tmp.
> >/tmp is always mounted rw, noexec.
> >I update my packages (which are installed via ports) any time there is
> >a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
> >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a
> >couple of weeks, but the only code that required it to be on was in a
> >.htaccess/SSL password protected directory.
> >Tripwire didn't show anything that I noted as odd. I reexamined the
> >tripwire logs, which are e-mailed to an account off of the machine
> >immediately after completion, and I don't
> >see anything odd for the 3/4 days before or after the date on the file.
> >(I don't scan /tmp)
> >I stupidly deleted the httpd file from /tmp, which was smaller than the
> >actual apache httpd. And I don't back up /tmp.
> >The only info I can find regarding this file being in /tmp pertains to
> >Slapper. Could something have copied a file there? Could I have done
> >it by mistake at some point - the server's been up ~60 days, plenty of
> >time for me to forget something?
> >This is production box that I very much want to keep up, so I'm seeking
> >some sound advice.
> >Does this box need to be rebuilt? How could a file get written to
> >/tmp, and is it an issue since it couldn't be executed? I run tripwire
> >nightly, and haven't seen anything odd to the best of my recollection.
> >I also check ipfstat -t frequently to see if any odd connections are
> >I appreciate any sound advice on this matter.
> Slapper is a linux only virus. You shouldn't have to worry about it
> doing harm on your freebsd machine. Seeing as the binary was in your
> tmp directory on your system, and that you might have not placed it
> there, this could be a good reason for a host of other things to look
> into. The httpd binary with 96d<= ssl is not a virus itself, just a
> means to carry out the exploit. The slapper virus is a bunch of c-code
> that is put in your tmp directory and the exploit allows one to compile,
> chmod, and execute the code, leaving open a backdoor.
> chrootkit does scan for the comparable scalper virus which is a freebsd
> cousin to the slapper (in that they attempt to exploit the machine via
> the apache conduit.)
> I would think real hard, if you did put the httpd binary in there. If
> you are sure you didn't, and you are the only one with access to the
> system, then I would be very very worried. Running tripwire and
> chrootkit on a periodic basis should help. Re-installing the os isn't
> your only solution, but it does give comfort knowing that after a
> reinstall, and locking down the box, no one has a in on your system.
> This could be overboard though.
> You also might want to consider enabling the clean_tmp scripts. Next
> time tar up those suspicious files, a quick forensics on them can do
> wonders (md5sum, timestamps, ownership, permissions.)
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
1:30PM up 1 day, 1:21, 2 users, load averages: 0.00, 0.04, 0.19
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050208/d34ddf52/attachment.bin
More information about the freebsd-questions