httpd in /tmp - Sound advice sought

Redmond Militante r-militante at northwestern.edu
Tue Feb 8 12:16:37 PST 2005 

[Tue, Feb 08, 2005 at 01:43:36PM -0600]
This one time, at band camp, Bret Walker said:

> I do read it, but not every day (weekends, especially).
>

i use logcheck to mail me the messages log every 15 mins
 
> Do you have a way for suspicious activity to be reported to you?
>

logcheck, and portsentry as well
 
> Also, I'm tarring /usr and am going to run a diff on it compared to a
> clean install.
>
> Bret
> 
> -----Original Message-----
> From: Redmond Militante [mailto:r-militante at northwestern.edu] 
> Sent: Tuesday, February 08, 2005 1:45 PM
> To: Bret Walker
> Subject: Re: httpd in /tmp - Sound advice sought
> 
> 
> hi
> 
> [Tue, Feb 08, 2005 at 10:46:19AM -0600]
> This one time, at band camp, Bret Walker said:
> 
> > Redmond-
> > 
> > Here is the response I got from the list.
> > 
> > I also found another file - shellbind.c - it's essentially this - 
> > http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-06/0073.html
> > (although phpBB has never been installed).
> > 
> > I had register_globals on in PHP for a month+ because a reservation 
> > system I was using required them.  I now know better.  We also had php 
> > errors set to display for a while as bugs were being worked out.
> > 
> > The owner of this file is www, so it was put in /tmp by the apache 
> > daemon. I messed the file up trying to tar it, so I can't get a good 
> > md5. Register globals and php file uploads are both off now.  I don't 
> > think the system was compromised because anything written to /tmp 
> > (which is the temp dir php defaults to) could not be executed.
> > 
> > Do you think we're safe to continue as is?
> >
> 
> this person is telling you that slapper is nothing to worry about because
> it's a linux only virus - but if you didn't put httpd in /tmp then you
> should be worried about this situation.
> 
> this is probably your call what you want to do.
>  
> > Also, I would like to talk with you about what preventative measures 
> > you take with herald.  I know you run tripwire, but what else do you 
> > do on a regular basis?
> >
> 
> one thing i do is i read /var/log/messages every day.  do you do that?
> 
>  
> > Bret
> > 
> > 
> > 
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of Mark A. 
> > Garcia
> > Sent: Tuesday, February 08, 2005 9:57 AM
> > To: Bret Walker
> > Cc: freebsd-questions at freebsd.org
> > Subject: Re: httpd in /tmp - Sound advice sought
> > 
> > 
> > Bret Walker wrote:
> > 
> > >Last night, I ran chkrootkit and it gave me a warning about being 
> > >infected with Slapper.  Slapper exploits vulnerabilities in OpenSSL 
> > >up to version 0.96d or older on Linux systems.  I have only run 
> > >0.97d. The file that set chkrootkit off was httpd which was located 
> > >in /tmp. /tmp is always mounted rw, noexec.
> > >
> > >I update my packages (which are installed via ports) any time there 
> > >is a security update.  I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl 
> > >2.8.22/OpenSSL 0.97d on 4.10.  Register_globals was on in PHP for a 
> > >couple of weeks, but the only code that required it to be on was in a 
> > >.htaccess/SSL password protected directory.
> > >
> > >Tripwire didn't show anything that I noted as odd.  I reexamined the 
> > >tripwire logs, which are e-mailed to an account off of the machine 
> > >immediately after completion, and I don't see anything odd for the 
> > >3/4 days before or after the date on the file. (I don't scan /tmp)
> > >
> > >I stupidly deleted the httpd file from /tmp, which was smaller than 
> > >the actual apache httpd.  And I don't back up /tmp.
> > >
> > >The only info I can find regarding this file being in /tmp pertains 
> > >to Slapper.  Could something have copied a file there?  Could I have 
> > >done it by mistake at some point - the server's been up ~60 days, 
> > >plenty of time for me to forget something?
> > >
> > >This is production box that I very much want to keep up, so I'm 
> > >seeking some sound advice.
> > >
> > >Does this box need to be rebuilt?  How could a file get written to 
> > >/tmp, and is it an issue since it couldn't be executed?  I run 
> > >tripwire nightly, and haven't seen anything odd to the best of my 
> > >recollection. I also check ipfstat -t frequently to see if any odd 
> > >connections are happening.
> > >
> > >I appreciate any sound advice on this matter.
> > >
> > >Thanks,
> > >Bret
> > >
> > >
> > Slapper is a linux only virus.  You shouldn't have to worry about it 
> > doing harm on your freebsd machine.  Seeing as the binary was in your 
> > tmp directory on your system, and that you might have not placed it 
> > there, this could be a good reason for a host of other things to look 
> > into.  The httpd binary with 96d<= ssl is not a virus itself, just a 
> > means to carry out the exploit.  The slapper virus is a bunch of 
> > c-code that is put in your tmp directory and the exploit allows one to 
> > compile, chmod, and execute the code, leaving open a backdoor.
> > 
> > chrootkit does scan for the comparable scalper virus which is a 
> > freebsd cousin to the slapper (in that they attempt to exploit the 
> > machine via the apache conduit.)
> > 
> > I would think real hard, if you did put the httpd binary in there.  If 
> > you are sure you didn't, and you are the only one with access to the 
> > system, then I would be very very worried.  Running tripwire and 
> > chrootkit on a periodic basis should help.  Re-installing the os isn't 
> > your only solution, but it does give comfort knowing that after a 
> > reinstall, and locking down the box, no one has a in on your system. 
> > This could be overboard though.
> > 
> > You also might want to consider enabling the clean_tmp scripts.  Next 
> > time tar up those suspicious files, a quick forensics on them can do 
> > wonders (md5sum, timestamps, ownership, permissions.)
> > 
> > Cheers,
> > -.mag
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list 
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to 
> > "freebsd-questions-unsubscribe at freebsd.org"
> 
> 
> 
> -- 
> Redmond Militante
> Software Engineer / Medill School of Journalism
> FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386  1:30PM
> up 1 day,  1:21, 2 users, load averages: 0.00, 0.04, 0.19



-- 
Redmond Militante
Software Engineer / Medill School of Journalism
FreeBSD 5.2.1-RELEASE-p10 #0: Wed Sep 29 17:17:49 CDT 2004 i386
 2:15PM  up 1 day,  2:06, 2 users, load averages: 0.07, 0.07, 0.13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20050208/43651d02/attachment.bin

More information about the freebsd-questions mailing list