newbie with www user security problem

Ken Hawkins ken at rosewoodblues.com
Thu Aug 11 15:32:54 GMT 2005 

The box is secure that much i have found out. the only problems have  
been with this email spamming. nothing in the tmp dirs out of the  
ordinary and no missing files running scripts etc. I have changed  
everyone passwords on the box. *'d the www password, ensured there is  
no shell with the www user, etc.

i am in the process of upgrading the ports now and there are problems  
(of course). the ports seem to have been mangled as the listing in / 
var/db/ports does not match what i KNOW is running on the box. The  
person i have inherited this from manually deleted from the /var/db/ 
ports to get some of the applications to re-install! gotta love that!

well here i come port fix hell! This is a production box and can't be  
taken off line as of this moment so i am going to have to attempt on  
the fly fixing / upgrading of the ports.  i would love to wipe it but  
it is just not a possibility right now.

thanks for all your help and insight. even those of you who tried to  
tell me I was lost... :)

ken;
Ken Hawkins
Product Manager/Software Development
Broadjam Inc.
313 W. Beltline Hwy, Suite 147
Madison, WI 53713
P: 404-323-7493
F: 608-273-3635
W: www.broadjam.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Broadjam Web Hosting for Musicians
Now featuring links, guestbook, news
page and more customization.
Only at www.broadjam.com/hosting.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Aug 11, 2005, at 11:04 AM, Stijn Hoop wrote:

> On Thu, Aug 11, 2005 at 04:54:10PM +0200, jimmy at inet-solutions.be  
> wrote:
>
>> If the box in question was local secure, you don't have to worry  
>> that much.
>>
>
> Correct of course, but seeing as the OP admitted to not knowing a  
> lot about
> the administration of this machine, I don't think local security  
> was very
> high.
>
>
>> If it's a long time since you've updated your base, are sloppy  
>> with passwords
>> on the box in question, haven't updated your daemons/setuid  
>> packages in weeks,
>> then the box should be concidered a total loss.
>>
>> Just think in terms as "what are the possible things I could do if  
>> my UID were
>> 'www'"
>>
>
> There might be some less obvious things, especially if the base OS is
> as far behind as the phpBB installation.
>
>
>> I for example have webservers running in chroot, on a partition  
>> that is
>> nosuid, and starred out password for the user 'www'. The thing you
>> describing happens sometimes because users do not update there  
>> phpbb's
>> either. I'm not affraid since the kiddo would have the same access  
>> than a
>> customer, which I cannot trust either. If you don't know the box  
>> IS secure,
>> it isn't, there is a lot of work involved in keeping things like this
>> "under controle".
>>
>
> Totally true, and good advice for setting up access for customers /  
> etc.
>
> --Stijn
>
> -- 
> Coughlin's law: never show surprise, never lose your cool.
>         -- Cocktail
>

More information about the freebsd-security mailing list