system breach

Matthew Seaman m.seaman at
Fri Dec 29 04:36:57 PST 2006

gareth wrote:

> Oct 23 00:31:42 lordcow kernel: pid 48464 (conftest), uid 0: exited on signal 12 (core dumped)
> Oct 23 01:19:26 lordcow kernel: pid 17512 (conftest), uid 0: exited on signal 12 (core dumped)

These are from autoconf testing various capabilities of the system to do
with signal handling -- nothing to be worried about.  

> hey guys, my server rebooted a few days ago, and while i was
> looking around for possible reasons (none came up, which's
> disconcerting in itself) i found this suspicious directory:
> $ ls -l /tmp/download
> total 44
> drwxr-xr-x  4 root  wheel    512 Oct 23 16:28 Archive_Tar-1.3.1
> drwxr-xr-x  3 root  wheel    512 Oct 23 16:28 Console_Getopt-1.2
> drwxr-xr-x  3 root  wheel    512 Oct 23 16:28 XML_RPC-1.5.0
> -rw-r--r--  1 root  wheel  15433 Jul 12 02:09 package.xml
> -rw-r--r--  1 root  wheel  22193 Jul 12 02:09 package2.xml
> the subdirs contain a bunch've .php files, and the xml files
> are info about version updates of PEAR'S "XML-RPC for PHP".
> they're owned by root (only i have the passwd) so it wasn't
> made by a local user, and i assume it wasn't made by portupgrade
> or something like that?

Are you running a web server as root on this machine?  This illustrates
why that is such a bad idea...  If you aren't running a web server,
but only using PHP as a command line tool, then have you been doing any
work with such things as IDEs or other large toolsets?  They often
have the capability to download and install extra bits at a mouseclick.

Generally if you have a compromise in a PHP based webserver, you'll
see the compromised machine used as a spam-bot or similar.  Check the
contents of your mail spool.  Use tcpdump / wireshark to monitor the
traffic to and from the machine to look for suspicious activity.
If you've got the permissions right, then the attackers will not be
able to write to the hard drive through compromising the webserver,
which means that a stop and restart of Apache will thwart their
nefarious plans, at least until they can recompromise your server.
Generally that's about 5 -- 15 minutes, as all that sort of stuff is
pretty automated nowadays.

The best defense against all of this sort of stuff is to be fully
patched and up to date with all your installed software.  PHP is a
nightmare security wise -- the whole language tends to steer developers
into doing sloppy and insecure things by default.  Well known, big
projects like phpMyAdmin or Horde will generally code stuff pretty
tightly, but the rest often need a severe beating with the clue stick.
Even the well-managed projects will have their problems, and in fact
one of the measures of a well-managed project is how promptly they deal
with security problems and how open they are about revealing such things.



Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP:         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-stable mailing list