issues with security

Mark Musone mmusone at shatterit.com
Mon Feb 2 13:20:17 EST 2004 

There is an exploit for apache handling chunks, and also for mod_ssl.

Depending on whats running under php, there could be some bad
programming, however it's most likely it's an apache thing. What else
are you allowing through your firewall?

Although doing security audits and security monitoring for our clients
is a core part of our NOC group, we generally don’t do it as an outside
professional service, however if you are interested, feel free to email
me and I can see if we can set something up.



-----Original Message-----
From: owner-nflug at nflug.org [mailto:owner-nflug at nflug.org] On Behalf Of
cliff at cliffmeyers.com
Sent: Monday, February 02, 2004 12:46 PM
To: nflug at nflug.org
Cc: Darin.Perusich at cognigencorp.com
Subject: issues with security

Hi Everyone,


Apparently my first message didn't go through, so here I go again:


I've been away from the list for a little while, but been having a major
problem
here at the office so I figured I'd post to see if you guys had any
ideas...

On the 22nd we had an issue with one of our systems that I thought had
to do with
some kind of hard drive error.  The system is a Red Hat Linux box,
running
primarily Apache and PHP to serve web sites.  I typically compile these
things
from source so I can have a little more control over configurability.

Anyways, as it turned out, I noticed late last week that there were
processes
running that shouldn't be there.  After I killed the processes I noticed
files in
the /tmp directory, where PHP stores most of the session files (unless I
tell it
to store them somewhere else).  There was a 'blackhole.c' file and some
other
things which had been compiled to run on my system.

I talked to my other programmer and we were going to come in Saturday to
do a
full re-install, but the hacker struck against Thursday night around 11
PM and
defaced all of our sites.  I came into the office and spent the next 8
hours
formatting, installing Red Hat 9, download all the newest source code
for Apache
and PHP, and getting everything set up.

Well, I get into work today, and guess what?  Another bad process and
more files
in the /tmp folder.  I killed them all again, and am going to do
*another*
reinstall tonight.  I was e-mailing a colleague asking for his input so
I'll post
a few of the ideas I had for how the hacker got back in.  Here they are:

(1)  I used the latest stable version of PHP, 4.3.4, when in fact there
is a new
version, 4.3.5RC1.  I wanted to avoid a release candidate version but
that would
be my first guess.

(2)  Some other vulnerability I don't know about.  I installed the
latest version
of every other package so that's probably unlikely. Every other service
is
firewalled, so...

(3)  I used the web backup from the morning of the 30th so as to not
loose any
changes - perhaps there was something in there that it allowing the
hacker to
gain access again.

(4)  A problem with some of our PHP code.  Again, not sure how that's
possible or
what the issue might be.

Does anyone have any other ideas?  Can anyone direct me (or offer)
security
consulting services to help take a look?  Is there any other information
I can
provide?  This is the first time I've really dealt with this and my
blood
pressure is through the roof... thanks very much guys.


-Cliff Meyers

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 1/17/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 1/17/2004

More information about the nflug mailing list