Hacked - FreeBSD 7.1-Release

Squirrel squirrel at mail.isot.com
Thu Dec 10 14:12:15 UTC 2009 

I do have most of measure you've mentioned implemented.  There is one website that is required to have register_global, which I have set on his directory/.htaccess to prevent site-wide.  Currently, I'm in process of upgrading all my ports.

Thanks for info.


-----Original message-----
From: Matthew Seaman m.seaman at infracaninophile.co.uk
Date: Thu, 10 Dec 2009 02:24:34 -0600
To: squirrel at isot.com
Subject: Re: Hacked - FreeBSD 7.1-Release

> Squirrel wrote:
> > I've just finished the rtld patch.  Now in process of regenerating
> > all the keys and certs.  Next will look into php.  But far as rtld
> > vulnerability, doesn't it require at least a local user account?
> > Looking at all the authentication, there wasn't any authenticated
> > session during the time frame.  So I'm leaning more towards php
> > 5.2.9, and checking all my ports.
> 
> You don't necessarily need to have a login session (ie. recorded in wtmp)
> to exploit the rtld bug -- just control over some process and the ability
> to run commands through it.  Although the rtld bug is "only" a local root
> compromise, since it is so simple to exploit it is a lot more dangerous
> than most, and in combination with just about any form of remote exploit
> it means your box get rooted.
> 
> Upgrading PHP and all ports is a good move.  portaudit(1) is a good idea
> but it doesn't necessarily address the direct route your attackers used.
> My suspicions (in the absence of any detailed forensic examination of
> your machine) are that you are running  some vulnerable PHP code.  This
> may be part of a well known application, or it may be something locally written.
> 
> In this case, I'd recommend a number of measures:
> 
>    * Run a security scanner like nikto (ports: security/nikto)
>      against each of the websites on your server.  Do this at 
>      regular intervals, and take action to fix any problems it
>      discovers.
> 
>    * Make sure that you only grant the minimum necessary permissions
>      on the filesystem to allow apache to run your applications.  In
>      general, everything under your doc root should be *readable* by
>      uid www but not *writable* -- don't be seduced by the idea of 
>      making the webroot owned by www:www --- root:wheel is a much 
>      better idea, and files should be mode 644, directories mode 755
>      unless there's a good reason to have them otherwise.
> 
>    * Refuse to run any PHP application that requires you to have 
>      'register_globals = YES' or to similarly poke enormous holes
>      in security through php.ini.  Any application developer that
>      has not modified their code to use the $GLOBALS array by now
>      is lazy and incompetent and their code is likely to have all
>      sorts of other holes.
> 
>    * Similarly give your web application only the minimum necessary
>      permissions it needs to access any databases.  You'll frequently
>      see instructions to do things like: 'GRANT ALL PRIVILEGES ON foo.*
>      TO www at localhost WITH GRANT OPTION;' This is way too much and should
>      be trimmed down.  Web apps rarely have any need to make schema 
>      changes, and creating other UIDs is right out, so
>      'GRANT SELECT,INSERT,UPDATE,DELETE ON foo.* TO www at localhost' is a 
>      much more reasonable starting point.  
> 
>    * Where a web application has a legitimate reason to want to write
>      to the filesystem (eg. uploading files), preferably confine the
>      write access to a separate directory tree outside the web root --
>      /tmp or /var/tmp aren't bad choices, but it might be better to
>      create a specific location for a particular application.
> 
>    * Where a web application has an administrative mode preferably
>      arrange to run this over HTTPS thus protecting any passwords 
>      from snooping.  If the administrative mode needs to have generic
>      read/write access to the web tree, then consider running it in a
>      completely separate Apache instance with different user credentials
>      than the generally accessible web server.
> 
> Making the last point work with some arbitrary web application is 
> frequently challenging, but usually at least possible by a combination
> of mod_rewrite and mod_proxy functions in the Apache config.   
> 
> 	Cheers,
> 
> 	Matthew
> 
> -- 
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                   Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
>                                                   Kent, CT11 9PW
> 
> 
>

More information about the freebsd-stable mailing list