httpd in /tmp - Sound advice sought
Redmond Militante
r-militante at northwestern.edu
Tue Feb 8 13:00:54 PST 2005
ok
[Tue, Feb 08, 2005 at 02:40:19PM -0600]
This one time, at band camp, Bret Walker said:
> Thanks.
> Could you send me your conf file for portsentry so I can see how you do
> it?
> Bret
>
> -----Original Message-----
> From: Redmond Militante [mailto:r-militante at northwestern.edu]
> Sent: Tuesday, February 08, 2005 2:21 PM
> To: Bret Walker
> Subject: Re: httpd in /tmp - Sound advice sought
>
>
> [Tue, Feb 08, 2005 at 01:43:36PM -0600]
> This one time, at band camp, Bret Walker said:
>
> > I do read it, but not every day (weekends, especially).
> >
>
> i use logcheck to mail me the messages log every 15 mins
>
> > Do you have a way for suspicious activity to be reported to you?
> >
>
> logcheck, and portsentry as well
>
> > Also, I'm tarring /usr and am going to run a diff on it compared to a
> > clean install.
> >
> > Bret
> >
> > -----Original Message-----
> > From: Redmond Militante [mailto:r-militante at northwestern.edu]
> > Sent: Tuesday, February 08, 2005 1:45 PM
> > To: Bret Walker
> > Subject: Re: httpd in /tmp - Sound advice sought
> >
> >
> > hi
> >
> > [Tue, Feb 08, 2005 at 10:46:19AM -0600]
> > This one time, at band camp, Bret Walker said:
> >
> > > Redmond-
> > >
> > > Here is the response I got from the list.
> > >
> > > I also found another file - shellbind.c - it's essentially this -
> > > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html
> > > (although phpBB has never been installed).
> > >
> > > I had register_globals on in PHP for a month+ because a reservation
> > > system I was using required them. I now know better. We also had php
>
> > > errors set to display for a while as bugs were being worked out.
> > >
> > > The owner of this file is www, so it was put in /tmp by the apache
> > > daemon. I messed the file up trying to tar it, so I can't get a good
> > > md5. Register globals and php file uploads are both off now. I don't
> > > think the system was compromised because anything written to /tmp
> > > (which is the temp dir php defaults to) could not be executed.
> > >
> > > Do you think we're safe to continue as is?
> > >
> >
> > this person is telling you that slapper is nothing to worry about
> > because it's a linux only virus - but if you didn't put httpd in /tmp
> > then you should be worried about this situation.
> >
> > this is probably your call what you want to do.
> >
> > > Also, I would like to talk with you about what preventative measures
> > > you take with herald. I know you run tripwire, but what else do you
> > > do on a regular basis?
> > >
> >
> > one thing i do is i read /var/log/messages every day. do you do that?
> >
> >
> > > Bret
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: owner-freebsd-questions at freebsd.org
> > > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Mark A.
> > > Garcia
> > > Sent: Tuesday, February 08, 2005 9:57 AM
> > > To: Bret Walker
> > > Cc: freebsd-questions at freebsd.org
> > > Subject: Re: httpd in /tmp - Sound advice sought
> > >
> > >
> > > Bret Walker wrote:
> > >
> > > >Last night, I ran chkrootkit and it gave me a warning about being
> > > >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL
> > > >up to version 0.96d or older on Linux systems. I have only run
> > > >0.97d. The file that set chkrootkit off was httpd which was located
> > > >in /tmp. /tmp is always mounted rw, noexec.
> > > >
> > > >I update my packages (which are installed via ports) any time there
> > > >is a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
> > > >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a
> > > >couple of weeks, but the only code that required it to be on was in a
>
> > > >.htaccess/SSL password protected directory.
> > > >
> > > >Tripwire didn't show anything that I noted as odd. I reexamined
> > > >the
> > > >tripwire logs, which are e-mailed to an account off of the machine
> > > >immediately after completion, and I don't see anything odd for the
> > > >3/4 days before or after the date on the file. (I don't scan /tmp)
> > > >
> > > >I stupidly deleted the httpd file from /tmp, which was smaller than
> > > >the actual apache httpd. And I don't back up /tmp.
> > > >
> > > >The only info I can find regarding this file being in /tmp pertains
> > > >to Slapper. Could something have copied a file there? Could I have
> > > >done it by mistake at some point - the server's been up ~60 days,
> > > >plenty of time for me to forget something?
> > > >
> > > >This is production box that I very much want to keep up, so I'm
> > > >seeking some sound advice.
> > > >
> > > >Does this box need to be rebuilt? How could a file get written to
> > > >/tmp, and is it an issue since it couldn't be executed? I run
> > > >tripwire nightly, and haven't seen anything odd to the best of my
> > > >recollection. I also check ipfstat -t frequently to see if any odd
> > > >connections are happening.
> > > >
> > > >I appreciate any sound advice on this matter.
> > > >
> > > >Thanks,
> > > >Bret
> > > >
> > > >
> > > Slapper is a linux only virus. You shouldn't have to worry about it
> > > doing harm on your freebsd machine. Seeing as the binary was in your
> > > tmp directory on your system, and that you might have not placed it
> > > there, this could be a good reason for a host of other things to look
> > > into. The httpd binary with 96d<= ssl is not a virus itself, just a
> > > means to carry out the exploit. The slapper virus is a bunch of
> > > c-code that is put in your tmp directory and the exploit allows one to
>
> > > compile, chmod, and execute the code, leaving open a backdoor.
> > >
> > > chrootkit does scan for the comparable scalper virus which is a
> > > freebsd cousin to the slapper (in that they attempt to exploit the
> > > machine via the apache conduit.)
> > >
> > > I would think real hard, if you did put the httpd binary in there.
> > > If
> > > you are sure you didn't, and you are the only one with access to the
> > > system, then I would be very very worried. Running tripwire and
> > > chrootkit on a periodic basis should help. Re-installing the os isn't
>
> > > your only solution, but it does give comfort knowing that after a
> > > reinstall, and locking down the box, no one has a in on your system.
> > > This could be overboard though.
> > >
> > > You also might want to consider enabling the clean_tmp scripts.
> > > Next
> > > time tar up those suspicious files, a quick forensics on them can do
> > > wonders (md5sum, timestamps, ownership, permissions.)
> > >
> > > Cheers,
> > > -.mag
> > > _______________________________________________
> > > freebsd-questions at freebsd.org mailing list
> > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > > To unsubscribe, send any mail to
> > > "freebsd-questions-unsubscribe at freebsd.org"
> >
> >
> >
> > --
> > Redmond Militante
> > Software Engineer / Medill School of Journalism
> > FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 1:30PM
> > up 1 day, 1:21, 2 users, load averages: 0.00, 0.04, 0.19
>
>
>
> --
> Redmond Militante
> Software Engineer / Medill School of Journalism
> FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
> 2:15PM up 1 day, 2:06, 2 users, load averages: 0.07, 0.07, 0.13
--
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
3:00PM up 1 day, 2:51, 4 users, load averages: 0.04, 0.05, 0.17
-------------- next part --------------
# PortSentry Configuration
#
# $Id: portsentry.conf,v 1.23 2001/06/26 15:20:56 crowland Exp crowland $
#
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.
#######################
# Port Configurations #
#######################
#
#
# Some example port configs for classic and basic Stealth modes
#
# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
# Doing so will prevent the X-client from starting properly.
#
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
#
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches
# everything below 1024.
#
# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading. I don't recommend you
# bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
# OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
# warned! Don't write me if you have have a problem because I'll only tell
# you to RTFM and don't run above the first 1024 ports.
#
#
ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
#
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such
# as FTP, SMTP, and wrappers look for but you may not run (and probably
# *shouldn't* IMHO).
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"
######################
# Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE="/usr/local/etc/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/usr/local/etc/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/usr/local/etc/portsentry.blocked"
##############################
# Misc. Configuration Options#
##############################
#
# DNS Name resolution - Setting this to "1" will turn on DNS lookups
# for attacking hosts. Setting it to "0" (or any other value) will shut
# it off.
RESOLVE_HOST = "1"
###################
# Response Options#
###################
# Options to dispose of attacker. Each is an action that will
# be run if an attack is detected. If you don't want a particular
# option then comment it out and it will be skipped.
#
# The variable $TARGET$ will be substituted with the target attacking
# host when an attack is detected. The variable $PORT$ will be substituted
# with the port that was scanned.
#
##################
# Ignore Options #
##################
# These options allow you to enable automatic response
# options for UDP/TCP. This is useful if you just want
# warnings for connections, but don't want to react for
# a particular protocol (i.e. you want to block TCP, but
# not UDP). To prevent a possible Denial of service attack
# against UDP and stealth scan detection for TCP, you may
# want to disable blocking, but leave the warning enabled.
# I personally would wait for this to become a problem before
# doing though as most attackers really aren't doing this.
# The third option allows you to run just the external command
# in case of a scan to have a pager script or such execute
# but not drop the route. This may be useful for some admins
# who want to block TCP, but only want pager/e-mail warnings
# on UDP, etc.
#
#
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="1"
BLOCK_TCP="1"
###################
# Dropping Routes:#
###################
# This command is used to drop the route or add the host into
# a local filter table.
#
# The gateway (333.444.555.666) should ideally be a dead host on
# the *local* subnet. On some hosts you can also point this at
# localhost (127.0.0.1) and get the same effect. NOTE THAT
# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
#
# ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
# uncomment the correct line for your OS. If you OS is not listed
# here and you have a route drop command that works then please
# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
# CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
#
# NOTE: The route commands are the least optimal way of blocking
# and do not provide complete protection against UDP attacks and
# will still generate alarms for both UDP and stealth scans. I
# always recommend you use a packet filter because they are made
# for this purpose.
#
# Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
# NEXTSTEP
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
# FreeBSD
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
# Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
##
# Using a packet filter is the PREFERRED. The below lines
# work well on many OS's. Remember, you can only uncomment *one*
# KILL_ROUTE option.
##
# ipfwadm support for Linux
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
#
# ipfwadm support for Linux (no logging of denied packets)
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
#
# ipchain support for Linux
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
#
# ipchain support for Linux (no logging of denied packets)
#KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
#
# iptables support for Linux
#KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"
#
# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
#
#
# For those running ipfilt (OpenBSD, etc.)
# NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!
#
#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"
###############
# TCP Wrappers#
###############
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"
# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all '%' symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
###################
# External Command#
###################
# This is a command that is run when a host connects, it can be whatever
# you want it to be (pager, etc.). This command is executed before the
# route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
#
#
# I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING
# YOU!
#
# TCP/IP is an *unauthenticated protocol* and people can make scans appear out
# of thin air. The only time it is reasonably safe (and I *never* think it is
# reasonable) to run reverse probe scripts is when using the "classic" -tcp mode.
# This mode requires a full connect and is very hard to spoof.
#
# The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
# to run *before* the blocking occurs and should be set to "0" to make the
# command run *after* the blocking has occurred.
#
#KILL_RUN_CMD_FIRST = "0"
#
#
#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
#####################
# Scan trigger value#
#####################
# Enter in the number of port connects you will allow before an
# alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms. Anything higher is
# probably not necessary. This value must always be specified, but
# generally can be left at 0.
#
# NOTE: If you are using the advanced detection option you need to
# be careful that you don't make a hair trigger situation. Because
# Advanced mode will react for *any* host connecting to a non-used
# below your specified range, you have the opportunity to really
# break things. (i.e someone innocently tries to connect to you via
# SSL [TCP port 443] and you immediately block them). Some of you
# may even want this though. Just be careful.
#
SCAN_TRIGGER="0"
######################
# Port Banner Section#
######################
#
# Enter text in here you want displayed to a person tripping the PortSentry.
# I *don't* recommend taunting the person as this will aggravate them.
# Leave this commented out to disable the feature
#
# Stealth scan detection modes don't use this feature
#
#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
# EOF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050208/2ff1c6b7/attachment.bin
More information about the freebsd-questions
mailing list