Last night, I ran chkrootkit and it gave me a warning about being infected with Slapper. Slapper exploits vulnerabilities in OpenSSL up to version 0.96d or older on Linux systems. I have only run 0.97d. The file that set chkrootkit off was httpd which was located in /tmp. /tmp is always mounted rw, noexec.
I update my packages (which are installed via ports) any time there is a security update. I'm running Apache 1.3.33/PHP 4.3.10/mod_ssl 2.8.22/OpenSSL 0.97d on 4.10. Register_globals was on in PHP for a couple of weeks, but the only code that required it to be on was in a .htaccess/SSL password protected directory. Tripwire didn't show anything that I noted as odd. I reexamined the tripwire logs, which are e-mailed to an account off of the machine immediately after completion, and I don't see anything odd for the 3/4 days before or after the date on the file. (I don't scan /tmp) I stupidly deleted the httpd file from /tmp, which was smaller than the actual apache httpd. And I don't back up /tmp. The only info I can find regarding this file being in /tmp pertains to Slapper. Could something have copied a file there? Could I have done it by mistake at some point - the server's been up ~60 days, plenty of time for me to forget something? This is production box that I very much want to keep up, so I'm seeking some sound advice. Does this box need to be rebuilt? How could a file get written to /tmp, and is it an issue since it couldn't be executed? I run tripwire nightly, and haven't seen anything odd to the best of my recollection. I also check ipfstat -t frequently to see if any odd connections are happening. I appreciate any sound advice on this matter. Thanks, Bret
smime.p7s
Description: S/MIME cryptographic signature