Security Incidents mailing list archives
Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
From: Frank Knobbe <frank () knobbe us>
Date: Sat, 10 Jul 2004 11:57:26 -0500
On Fri, 2004-07-09 at 13:15, nathan c. dickerson wrote:
[...] During the first attack, they uploaded binaries and a perl script in /var/tmp/.../ , but since then, with the addition of non executable temporary directories, they have been simply using a perl script which connects back to spawn a shell on efnet IRC (uploaded in /dev/shm !) -- fairly clever. The IRC callback shell leads me to believe the access is blind. Again, they didn't have time to get root, as a combination of spotting the activity quickly and running the latest kernel. [...] Does anyone have any suggestions or pointers that would help me narrow down the security hole? I have brought the system into a state where system access is fairly complex to achieve with blind access, but not impossible to the dedicated.
It would certainly help knowing what OS you are running Apache on. From the statement about running the latest kernel, I assume you are running Linux. I'm not familiar with that environment as I'm a BSD guy :) However, one thing that would definitely help are tighter firewall rules so that the attacker can not spawn shells back to them or log into an IRC channel for control. In my BSD world, I have Apache running in a jail. There is no outbound connectivity from that jail to the Internet (on servers that need certain outbound access, it is allowed but limited to those connections/IP that are required, nothing more). So even if the jailed httpd got compromised, there is no way to establish connection back out to the attacker or some IRC channel. Even if you can't jail Apache, you can tighten your firewall rules such that outbound access is restricted. Allow yourself to open the fw if you need to performance maintenance (downloading patches, etc), but lock it back up once you're done. Good job catching that sucker, but it wasn't quite clear how you detected him. I always enjoy hearing from people how they detected attacks in progress. Perhaps you can shed some light on that. Please also list the other modules you have running on Apache so that we might be able to guess on how they got into the box. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 09)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Dmitry Alyabyev (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 13)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Dmitry Alyabyev (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Frank Knobbe (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 13)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Frank Knobbe (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 13)
- RE: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Bojan Zdrnja (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 12)