Re: Server hacked - next...?
On Mon, Jun 30, 2003 at 08:03:11PM +0200, Marcin Owsiany wrote: find / -uid 0 -perm 0400 I guess this should have been 04000 Actually, it should be find / -uid 0 -perm +4000 Sorry about that.. -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Server hacked - next...?
On Mon, Jun 30, 2003 at 08:03:11PM +0200, Marcin Owsiany wrote: find / -uid 0 -perm 0400 I guess this should have been 04000 Actually, it should be find / -uid 0 -perm +4000 Sorry about that.. -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org
Re: Server hacked - next...?
On Sun, Jun 29, 2003 at 09:47:13PM +0800, Jason Lim wrote: The user CGIs run as the user's UID... suexec. suexec doesn't run PHP suid the owner, unless you're using php-cgi. By default, PHP is incredibly insecure. If a user is using an insecure PHP application (or any other insecure CGI application, I use PHP as an example due to the preponderance of administrators who do not realize this), they can run arbitrary commands as that user with relatively little work, and as such gain shell access. Is there any tool that could search the system for root suid scripts (so the hacker can login again and gain root easily)? find / -uid 0 -perm 0400 You will need to use a known-good copy of the `find' command. Copy it to the machine via sneakernet (by floppy) and run it locally. Even then, there's little gaurantee the command is not being tampered with while running... Hope you can shed some light on the above, so at least the system can get back up and running, then we can even setup a new server (with SE Linux You have few options now by now but to do a complete reinstall. There is no intermediate step when a machine has been breeched. I mention PHP above because... Briefly looking at your previous posts, it would appear that the machine was taken via the `www-data' user, suggesting either an Apache exploit, or an application running as the http daemon (the www-data user), which was not being run under suexec. From there, considering that you were (if I am recalling correctly) running a 2.4.17 kernel, which has a few known local root exploits (again, if I am recalling this correctly); I don't believe you mention if you are using Debian kernel packages, or vanilla source, or patched source. However, the attack vector seems relatively clear: Web app/server (if you're running stable, that would be 1.3.26. If you are indeed keeping up with security updates, it should be patched against the known Apache remote exploits), to shell, to kernel or suid buffer overflow or something of that nature. From that point, they have root access. And don't bother hiding themselves at all, which is lucky for you, really. Of course, all of the above is simply a hypothesis based on incomplete information, but... I would suggest taking a look at what CGI you or your customers are running, and searching the web for known security issues with them. -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Server hacked - next...?
On Sun, Jun 29, 2003 at 09:47:13PM +0800, Jason Lim wrote: The user CGIs run as the user's UID... suexec. suexec doesn't run PHP suid the owner, unless you're using php-cgi. By default, PHP is incredibly insecure. If a user is using an insecure PHP application (or any other insecure CGI application, I use PHP as an example due to the preponderance of administrators who do not realize this), they can run arbitrary commands as that user with relatively little work, and as such gain shell access. Is there any tool that could search the system for root suid scripts (so the hacker can login again and gain root easily)? find / -uid 0 -perm 0400 You will need to use a known-good copy of the `find' command. Copy it to the machine via sneakernet (by floppy) and run it locally. Even then, there's little gaurantee the command is not being tampered with while running... Hope you can shed some light on the above, so at least the system can get back up and running, then we can even setup a new server (with SE Linux You have few options now by now but to do a complete reinstall. There is no intermediate step when a machine has been breeched. I mention PHP above because... Briefly looking at your previous posts, it would appear that the machine was taken via the `www-data' user, suggesting either an Apache exploit, or an application running as the http daemon (the www-data user), which was not being run under suexec. From there, considering that you were (if I am recalling correctly) running a 2.4.17 kernel, which has a few known local root exploits (again, if I am recalling this correctly); I don't believe you mention if you are using Debian kernel packages, or vanilla source, or patched source. However, the attack vector seems relatively clear: Web app/server (if you're running stable, that would be 1.3.26. If you are indeed keeping up with security updates, it should be patched against the known Apache remote exploits), to shell, to kernel or suid buffer overflow or something of that nature. From that point, they have root access. And don't bother hiding themselves at all, which is lucky for you, really. Of course, all of the above is simply a hypothesis based on incomplete information, but... I would suggest taking a look at what CGI you or your customers are running, and searching the web for known security issues with them. -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org
Re: DNS servers
should install dict and check it out. It's wacky! no, i just don't like djb's needless re-inventions of the wheel and i'm not particularly keen on change merely for the sake of change. i've changed the software i use many times over the years, but only when the benefits of changing significantly outweigh the disadvantages. there aren't any significant benefits of daemontools or ucspi-tcp over inetd and tcpwrappers. If the wheel falls off the cart, maybe it needs to be re-thought. You're too entrenched in your crappy habits, it seems. both maradns and dbdns make reasonable caching-only servers. for me, maradns wins because of it's license and it's lack of djb weirdness. Strange that djb's weirdness is a major selling point for myself and the more UNIX-philo-centric people I know. maradns isn't particularly good software, but a) it's GPL, b) it doesn't have djb's weird configuration style and c) it's adequate for the task i want to use it for. i still won't use it as an authoritative server because it isn't backwards compatible with bind zonefiles and its CSV1 zonefile format sucks. So.. you're using software that sucks. But because it's got a more trendy license, you use it. Your second reason I have no issue with. If you're more comfortable with it, hey, more power to you. The fact that you admit it's inferior negates both points B and C, however. While I'm all for people not using or doing things for moral reasons -- I respect my vegan friends for these reasons, even if it does make them a pain to go to lunch with -- you don't see to have that entirely in mind. Software is not made better or worse simply because of its license. Software can be judged on its own merit. Whether or not you feel you have a moral or ethical reason to use that software due to its licensing is something else entirely. I hate using Microsoft products not because they're so expensive, but because they're horrible applications. it's as if he reinvents stuff that works perfectly well just to make people conform to his strange ideas about how systems should be configured - throw everything out and implement DJB's One True the. Again, this is called innovation. It's when you see that things don't work how they should, and you go do it a better way. The fact that you don't agree with it is fine. The fact that you call people who DO find it useful groupies makes me wonder at your own maturity. djb wrote soemthing that makes sense to us. I guess everyone who uses Apache is just a groupie, then? The same can be said for idiotic Linux vs BSD wars. You use what makes sense, what works best for the situation; you don't use something because it has a SUPRA L33T COOL VALUE!!!1 What really pisses ME off is how people try to insist I use things just because they're `cutting edge' and are therefore so much kewler than what's currently standard. This is idiotic. I use applications that work. That's it. If it doesn't work, it has zero value to me. Work, however, has a number of connotations: Is it easy to maintain? Is it easy to automate? Is it secure? Can I easily replicate it if the machine it's currently living on falls into a pit and is eaten by Cthulu and his dancing harem of tenor sax playing gerbils? aside from bind, there are replacements for all of those programs which solve their problems while still providing backwards compatibility. Yet again, there is backwards compatibility. It's called converting your precious zone files to a less stupid format. What all of this seems to come down to is that the djb One True Way you continue to refer to rubs you the wrong way. Well, that's perfectly fine. However, the fact that YOU act like djb has some sort of obligation to do things he doesn't agree with simply because you don't like how his software works is both insulting and counter-productive. It seems to me, having used djb software for going on two years, that he doesn't suffer fools -- and neither does his software. The same could be, and has been, said for UNIX itself. -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DNS servers
should install dict and check it out. It's wacky! no, i just don't like djb's needless re-inventions of the wheel and i'm not particularly keen on change merely for the sake of change. i've changed the software i use many times over the years, but only when the benefits of changing significantly outweigh the disadvantages. there aren't any significant benefits of daemontools or ucspi-tcp over inetd and tcpwrappers. If the wheel falls off the cart, maybe it needs to be re-thought. You're too entrenched in your crappy habits, it seems. both maradns and dbdns make reasonable caching-only servers. for me, maradns wins because of it's license and it's lack of djb weirdness. Strange that djb's weirdness is a major selling point for myself and the more UNIX-philo-centric people I know. maradns isn't particularly good software, but a) it's GPL, b) it doesn't have djb's weird configuration style and c) it's adequate for the task i want to use it for. i still won't use it as an authoritative server because it isn't backwards compatible with bind zonefiles and its CSV1 zonefile format sucks. So.. you're using software that sucks. But because it's got a more trendy license, you use it. Your second reason I have no issue with. If you're more comfortable with it, hey, more power to you. The fact that you admit it's inferior negates both points B and C, however. While I'm all for people not using or doing things for moral reasons -- I respect my vegan friends for these reasons, even if it does make them a pain to go to lunch with -- you don't see to have that entirely in mind. Software is not made better or worse simply because of its license. Software can be judged on its own merit. Whether or not you feel you have a moral or ethical reason to use that software due to its licensing is something else entirely. I hate using Microsoft products not because they're so expensive, but because they're horrible applications. it's as if he reinvents stuff that works perfectly well just to make people conform to his strange ideas about how systems should be configured - throw everything out and implement DJB's One True the. Again, this is called innovation. It's when you see that things don't work how they should, and you go do it a better way. The fact that you don't agree with it is fine. The fact that you call people who DO find it useful groupies makes me wonder at your own maturity. djb wrote soemthing that makes sense to us. I guess everyone who uses Apache is just a groupie, then? The same can be said for idiotic Linux vs BSD wars. You use what makes sense, what works best for the situation; you don't use something because it has a SUPRA L33T COOL VALUE!!!1 What really pisses ME off is how people try to insist I use things just because they're `cutting edge' and are therefore so much kewler than what's currently standard. This is idiotic. I use applications that work. That's it. If it doesn't work, it has zero value to me. Work, however, has a number of connotations: Is it easy to maintain? Is it easy to automate? Is it secure? Can I easily replicate it if the machine it's currently living on falls into a pit and is eaten by Cthulu and his dancing harem of tenor sax playing gerbils? aside from bind, there are replacements for all of those programs which solve their problems while still providing backwards compatibility. Yet again, there is backwards compatibility. It's called converting your precious zone files to a less stupid format. What all of this seems to come down to is that the djb One True Way you continue to refer to rubs you the wrong way. Well, that's perfectly fine. However, the fact that YOU act like djb has some sort of obligation to do things he doesn't agree with simply because you don't like how his software works is both insulting and counter-productive. It seems to me, having used djb software for going on two years, that he doesn't suffer fools -- and neither does his software. The same could be, and has been, said for UNIX itself. -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org