newbie with www user security problem
jimmy at inet-solutions.be
jimmy at inet-solutions.be
Thu Aug 11 14:50:28 GMT 2005
Quoting Stijn Hoop <stijn at win.tue.nl>:
> On Thu, Aug 11, 2005 at 09:32:22AM -0400, Ken Hawkins wrote:
> > we have been hacked by a spammer
>
> [snip]
>
> > X-AntiAbuse: Board servername - srforum.prosoundweb.com
>
> Ouch. You appear to be running a phpBB installation from 2002 (version
> 2.0.6). That's asking for trouble. A lot of exploits have been found
> in phpBB since that time, see
>
> http://www.phpbb.com/support/documents.php?mode=changelog
>
> and
>
> http://www.vuxml.org/freebsd/pkg-phpbb.html
>
> There are lots of automated scripts running on already compromised
> machines that scan other machines for these vulnerabilities. Assuming
> that is how the spammer got in, there is no telling what he has done
> after that.
>
> You must assume that your machine has been fully compromised. The
> only way to know for sure that your machine is clean again is to build
> a new machine from scratch and transfer all your _non-executable_ data
> to it.
>
> You _might_ be able to get away with identifying any and all
> processes, removing suspicious data from /tmp, /var/tmp and any other
> OS place, changing passwords on _all_ accounts (but especially
> sensitive ones like root, your own and www). But you might not find
> the one backdoor that the spammer left and then you're back to square
> one again.
>
> It's your choice.
>
> To prevent this from happening, perform regular port updates and make
> sure to subscribe to the announcement list of highprofile publicly
> accessible software that you run.
>
> Good luck.
>
> --Stijn
>
> --
> A "No" uttered from deepest conviction is better and greater than a
> "Yes" merely uttered to please, or what is worse, to avoid trouble.
> -- Mahatma Ghandi
>
If the box in question was local secure, you don't have to worry that much.
If it's a long time since you've updated your base, are sloppy with passwords
on the box in question, haven't updated your daemons/setuid packages in weeks,
then the box should be concidered a total loss.
Just think in terms as "what are the possible things I could do if my UID were
'www'"
I for example have webservers running in chroot, on a partition that is nosuid,
and starred out password for the user 'www'. The thing you describing happens
sometimes because users do not update there phpbb's either. I'm not affraid
since the kiddo would have the same access than a customer, which I cannot
trust either. If you don't know the box IS secure, it isn't, there is a lot
of work involved in keeping things like this "under controle".
Kind Regards,
Jimmy Scott
----------------------------------------------------------------
This message has been sent through ihosting.be
To report spamming or other unaccepted behavior
by a iHosting customer, please send a message
to abuse at ihosting.be
----------------------------------------------------------------
More information about the freebsd-security
mailing list