httpd in /tmp - Sound advice sought
r-militante at northwestern.edu
Tue Feb 8 12:16:37 PST 2005
[Tue, Feb 08, 2005 at 01:43:36PM -0600]
This one time, at band camp, Bret Walker said:
> I do read it, but not every day (weekends, especially).
i use logcheck to mail me the messages log every 15 mins
> Do you have a way for suspicious activity to be reported to you?
logcheck, and portsentry as well
> Also, I'm tarring /usr and am going to run a diff on it compared to a
> clean install.
> -----Original Message-----
> From: Redmond Militante [mailto:r-militante at northwestern.edu]
> Sent: Tuesday, February 08, 2005 1:45 PM
> To: Bret Walker
> Subject: Re: httpd in /tmp - Sound advice sought
> [Tue, Feb 08, 2005 at 10:46:19AM -0600]
> This one time, at band camp, Bret Walker said:
> > Redmond-
> > Here is the response I got from the list.
> > I also found another file - shellbind.c - it's essentially this -
> > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html
> > (although phpBB has never been installed).
> > I had register_globals on in PHP for a month+ because a reservation
> > system I was using required them. I now know better. We also had php
> > errors set to display for a while as bugs were being worked out.
> > The owner of this file is www, so it was put in /tmp by the apache
> > daemon. I messed the file up trying to tar it, so I can't get a good
> > md5. Register globals and php file uploads are both off now. I don't
> > think the system was compromised because anything written to /tmp
> > (which is the temp dir php defaults to) could not be executed.
> > Do you think we're safe to continue as is?
> this person is telling you that slapper is nothing to worry about because
> it's a linux only virus - but if you didn't put httpd in /tmp then you
> should be worried about this situation.
> this is probably your call what you want to do.
> > Also, I would like to talk with you about what preventative measures
> > you take with herald. I know you run tripwire, but what else do you
> > do on a regular basis?
> one thing i do is i read /var/log/messages every day. do you do that?
> > Bret
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Mark A.
> > Garcia
> > Sent: Tuesday, February 08, 2005 9:57 AM
> > To: Bret Walker
> > Cc: freebsd-questions at freebsd.org
> > Subject: Re: httpd in /tmp - Sound advice sought
> > Bret Walker wrote:
> > >Last night, I ran chkrootkit and it gave me a warning about being
> > >infected with Slapper. Slapper exploits vulnerabilities in OpenSSL
> > >up to version 0.96d or older on Linux systems. I have only run
> > >0.97d. The file that set chkrootkit off was httpd which was located
> > >in /tmp. /tmp is always mounted rw, noexec.
> > >
> > >I update my packages (which are installed via ports) any time there
> > >is a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl
> > >2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a
> > >couple of weeks, but the only code that required it to be on was in a
> > >.htaccess/SSL password protected directory.
> > >
> > >Tripwire didn't show anything that I noted as odd. I reexamined the
> > >tripwire logs, which are e-mailed to an account off of the machine
> > >immediately after completion, and I don't see anything odd for the
> > >3/4 days before or after the date on the file. (I don't scan /tmp)
> > >
> > >I stupidly deleted the httpd file from /tmp, which was smaller than
> > >the actual apache httpd. And I don't back up /tmp.
> > >
> > >The only info I can find regarding this file being in /tmp pertains
> > >to Slapper. Could something have copied a file there? Could I have
> > >done it by mistake at some point - the server's been up ~60 days,
> > >plenty of time for me to forget something?
> > >
> > >This is production box that I very much want to keep up, so I'm
> > >seeking some sound advice.
> > >
> > >Does this box need to be rebuilt? How could a file get written to
> > >/tmp, and is it an issue since it couldn't be executed? I run
> > >tripwire nightly, and haven't seen anything odd to the best of my
> > >recollection. I also check ipfstat -t frequently to see if any odd
> > >connections are happening.
> > >
> > >I appreciate any sound advice on this matter.
> > >
> > >Thanks,
> > >Bret
> > >
> > >
> > Slapper is a linux only virus. You shouldn't have to worry about it
> > doing harm on your freebsd machine. Seeing as the binary was in your
> > tmp directory on your system, and that you might have not placed it
> > there, this could be a good reason for a host of other things to look
> > into. The httpd binary with 96d<= ssl is not a virus itself, just a
> > means to carry out the exploit. The slapper virus is a bunch of
> > c-code that is put in your tmp directory and the exploit allows one to
> > compile, chmod, and execute the code, leaving open a backdoor.
> > chrootkit does scan for the comparable scalper virus which is a
> > freebsd cousin to the slapper (in that they attempt to exploit the
> > machine via the apache conduit.)
> > I would think real hard, if you did put the httpd binary in there. If
> > you are sure you didn't, and you are the only one with access to the
> > system, then I would be very very worried. Running tripwire and
> > chrootkit on a periodic basis should help. Re-installing the os isn't
> > your only solution, but it does give comfort knowing that after a
> > reinstall, and locking down the box, no one has a in on your system.
> > This could be overboard though.
> > You also might want to consider enabling the clean_tmp scripts. Next
> > time tar up those suspicious files, a quick forensics on them can do
> > wonders (md5sum, timestamps, ownership, permissions.)
> > Cheers,
> > -.mag
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
> Redmond Militante
> Software Engineer / Medill School of Journalism
> FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386 1:30PM
> up 1 day, 1:21, 2 users, load averages: 0.00, 0.04, 0.19
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
2:15PM up 1 day, 2:06, 2 users, load averages: 0.07, 0.07, 0.13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050208/43651d02/attachment.bin
More information about the freebsd-questions