Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ). My connection has been stop because MY server is making DDOS attacks Then i read this: http://blogs.zdnet.com/threatchaos/?p=310 Is there a patch, link or what ever you can give me to resolf the poblem ?? Sorry if this not the appropriate list, i'm just desperate. -- Marcel Mourguiart
What's the deal with this? Anyone else seeing this? harpster:~ # yast2 --list Available modules: add-on autoyast bluetooth bootloader checkmedia controller dirinstall disk dns dsl firewall groups host http-server hwinfo idedma inetd inst_release_notes inst_source inst_suse_register isdn joystick keyboard lan language ldap lvm_config modem mouse nis online_update online_update_setup pci_id power-management powertweak printer profile-manager proxy remote restore routing runlevel scanner security sound support sw_single sysconfig timezone update users vendor view_anymsg x11 harpster:~ # yast2 users No such client module users Run 'yast2 -h' for help on usage harpster:~ #
On Thursday 20 April 2006 12:20, Tim Harper wrote:
What's the deal with this? Anyone else seeing this?
Tim, 1) You've hijacked a thread instead of creating a new one. PLEASE don't do this! 2) How is anyone supposed to help if you don't even include what SUSE version you're working with??? regards, Carl
On Thursday 20 April 2006 12:02, Marcel Mourguiart wrote:
Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ). My connection has been stop because MY server is making DDOS attacks
Then i read this: http://blogs.zdnet.com/threatchaos/?p=310
Is there a patch, link or what ever you can give me to resolf the poblem ??
Sorry if this not the appropriate list, i'm just desperate.
-- Marcel Mourguiart
Sorry to hear about your trouble, Marcel. I'd recommend you subscribe to the suse-security list and post your question there. For the record, one response to the article you cited describes this situation clearly: "World of FUD Masters... the MS fanboys are out in force again. I looked up PHP Arbitrary Code Execution and ANY OS that runs PHP is vulnerable (that includes MS Windows). This is a 3rd party [not a Linux] problem." Good luck! Carl
Marcel Mourguiart wrote:
Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ). My connection has been stop because MY server is making DDOS attacks
Then i read this: http://blogs.zdnet.com/threatchaos/?p=310
Is there a patch, link or what ever you can give me to resolf the poblem ??
Sorry if this not the appropriate list, i'm just desperate.
the best way should be to update your php version with YOU, or if this is not sufficient directly from the php site. I'm sure this bug is already fixed. jdd -- http://www.dodin.net http://dodin.org/galerie_photo_web/expo/index.html http://lucien.dodin.net http://fr.susewiki.org/index.php?title=Gérer_ses_photos
On 4/20/06, jdd
Marcel Mourguiart wrote:
Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ). My connection has been stop because MY server is making DDOS attacks
Then i read this: http://blogs.zdnet.com/threatchaos/?p=310
Is there a patch, link or what ever you can give me to resolf the poblem ??
Sorry if this not the appropriate list, i'm just desperate.
the best way should be to update your php version with YOU, or if this is not sufficient directly from the php site.
I'm sure this bug is already fixed.
I have every thing updated with YOU. Carl: I'll subscribe to "suse-segurity" and i'm aware this is not a suse specific bug or a linux one, is probably a php bug, which make the problem just harder to resolve. Any way if some body know the specific problem with PHP or have a clue, i'll be happy to heart. Thanks a lot :) and sorry for my terrible english spelling. -- Marcel Mourguiart
Hi, On Thu, 20 Apr 2006, Marcel Mourguiart wrote:
On 4/20/06, jdd
wrote: Marcel Mourguiart wrote:
Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ). My connection has been stop because MY server is making DDOS attacks
Then i read this: http://blogs.zdnet.com/threatchaos/?p=310
Is there a patch, link or what ever you can give me to resolf the poblem ??
Sorry if this not the appropriate list, i'm just desperate.
the best way should be to update your php version with YOU, or if this is not sufficient directly from the php site.
I'm sure this bug is already fixed.
I have every thing updated with YOU.
Carl: I'll subscribe to "suse-segurity" and i'm aware this is not a suse specific bug or a linux one, is probably a php bug, which make the problem just harder to resolve.
Any way if some body know the specific problem with PHP or have a clue, i'll be happy to heart.
I am watching for "PHP invaders" with this cron job: php-server1:1 21:39:34 ~ # cat bin/hack-detect #!/bin/bash export HOST=php-server1 export DATE=`date +%y%m%d.%H%M` export B=/home/detector/bin SF=/home/detector/find.wwwrun M="em@kki.org" S="${HOST} hack-detect ${DATE}" rm -f ${SF}.old ${SF}.dif mv ${SF} ${SF}.old echo "=== Prozesse:" >${SF} ${B}/pstree -p wwwrun | grep -v ^httpd2-prefork | sort -u >>${SF} echo "=== Dateien:" >>${SF} for i in /tmp /var/lib/wwwrun /var/tmp do ${B}/find $i -type f -user wwwrun | grep -v ^/tmp/sess_ | sort >>${SF} done ${B}/diff -U 0 ${SF}.old ${SF} | grep -v "^--- \|^+++ \|^@@ ">${SF}.dif if [ -s ${SF}.dif ]; then mail -s"${S}" ${M} <${SF}.dif & fi php-server1:1 21:39:41 ~ # It is simply monitoring all areas which are writable by the user wwwrun and all wwwrun processes. The invoked binaries reside in an exclusive place, so no root kit will overwrite them. It does in no way protect, but alarm. Cheers -e -- Eberhard Moenkeberg (emoenke@gwdg.de, em@kki.org)
Marcel Mourguiart schrieb:
On 4/20/06, jdd
wrote: Marcel Mourguiart wrote:
Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ). My connection has been stop because MY server is making DDOS attacks
Then i read this: http://blogs.zdnet.com/threatchaos/?p=310
Is there a patch, link or what ever you can give me to resolf the poblem ??
Sorry if this not the appropriate list, i'm just desperate.
the best way should be to update your php version with YOU, or if this is not sufficient directly from the php site.
I'm sure this bug is already fixed.
I have every thing updated with YOU.
Carl: I'll subscribe to "suse-segurity" and i'm aware this is not a suse specific bug or a linux one, is probably a php bug, which make the problem just harder to resolve.
Any way if some body know the specific problem with PHP or have a clue, i'll be happy to heart.
Did you write some PHP code yourself? Do you use "safe mode"? There are many things that can go wrong. The way I would recover from such a situation if I had not explicitly secured the machine before: 1. Are there any passwords on this server which are also used elsewhere? Change these passwords (only!) at the other locations. 2. Same for SSH keys. 3. Same for VPN keys. 4. Did you log into any machine from the compromised server? That machine is likely also compromised. 5. Log into the server via SSH (but make sure to disable agent forwarding). 6. Is the server physically accessible? If yes, goto 7. Else goto 11. 7. Suspend-to-disk. 8. Boot from a live DVD. 9. Make an image of the whole hard drive and copy it to another machine for later inspection. 10. Resume into the compromised installation. 11. Do you want to learn more, but risk to lose some forensic data? If yes, goto 12. Else goto 18. 12. kill -STOP everything except the master sshd, your session sshd and you session bash. 13. Change the sshd configuration to only accept pubkey authentication and only accept connections from an IP address only you can use. 14. Restart sshd. 15. Check whether there are any non-stopped processes besides the ones mentioned in step 11. If there are any, kill -STOP them. 16. Change the root password. 17. Backup all filesystems to another computer (do NOT login to the other computer from the compromised machine, login to the compromised machine FROM the other computer instead). 18. echo 1 > /proc/sys/kernel/sysrq 19. echo s > /proc/sysrq-trigger 20. echo u > /proc/sysrq-trigger 21. echo b > /proc/sysrq-trigger 22. Boot from readonly installation media. 23. Back up all data to another machine 24. Format and reinstall. 25. Run all updates. 26. Install and use tripwire. 27. Configure AppArmor or SELinux and learn to use it. 28. Restore your configuration from a known clean state. 29. Stop here unless you want to perform forensic analysis. 30. Make two copies of all data you gathered, at least one to readonly media to prevent accidential deletion. 31. Begin forensic analysis on a writable copy of your data. First step suggested is a diff between last known clean state and current state. Regards, Carl-Daniel -- http://www.hailfinger.org/
On 4/20/06, Carl-Daniel Hailfinger
Marcel Mourguiart schrieb:
On 4/20/06, jdd
wrote: Marcel Mourguiart wrote:
Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ). My connection has been stop because MY server is making DDOS attacks
Then i read this: http://blogs.zdnet.com/threatchaos/?p=310
Is there a patch, link or what ever you can give me to resolf the poblem ??
Sorry if this not the appropriate list, i'm just desperate.
the best way should be to update your php version with YOU, or if this is not sufficient directly from the php site.
I'm sure this bug is already fixed.
I have every thing updated with YOU.
Carl: I'll subscribe to "suse-segurity" and i'm aware this is not a suse specific bug or a linux one, is probably a php bug, which make the problem just harder to resolve.
Any way if some body know the specific problem with PHP or have a clue, i'll be happy to heart.
Did you write some PHP code yourself? Do you use "safe mode"? There are many things that can go wrong. The way I would recover from such a situation if I had not explicitly secured the machine before:
1. Are there any passwords on this server which are also used elsewhere? Change these passwords (only!) at the other locations. 2. Same for SSH keys. 3. Same for VPN keys. 4. Did you log into any machine from the compromised server? That machine is likely also compromised. 5. Log into the server via SSH (but make sure to disable agent forwarding). 6. Is the server physically accessible? If yes, goto 7. Else goto 11. 7. Suspend-to-disk. 8. Boot from a live DVD. 9. Make an image of the whole hard drive and copy it to another machine for later inspection. 10. Resume into the compromised installation. 11. Do you want to learn more, but risk to lose some forensic data? If yes, goto 12. Else goto 18. 12. kill -STOP everything except the master sshd, your session sshd and you session bash. 13. Change the sshd configuration to only accept pubkey authentication and only accept connections from an IP address only you can use. 14. Restart sshd. 15. Check whether there are any non-stopped processes besides the ones mentioned in step 11. If there are any, kill -STOP them. 16. Change the root password. 17. Backup all filesystems to another computer (do NOT login to the other computer from the compromised machine, login to the compromised machine FROM the other computer instead). 18. echo 1 > /proc/sys/kernel/sysrq 19. echo s > /proc/sysrq-trigger 20. echo u > /proc/sysrq-trigger 21. echo b > /proc/sysrq-trigger 22. Boot from readonly installation media. 23. Back up all data to another machine 24. Format and reinstall. 25. Run all updates. 26. Install and use tripwire. 27. Configure AppArmor or SELinux and learn to use it. 28. Restore your configuration from a known clean state. 29. Stop here unless you want to perform forensic analysis. 30. Make two copies of all data you gathered, at least one to readonly media to prevent accidential deletion. 31. Begin forensic analysis on a writable copy of your data. First step suggested is a diff between last known clean state and current state.
Regards, Carl-Daniel
Thanks Carl thats an excellent guide of "What to do when you get hacked - How to " Well just to let you know, the hacker use a Postnuke vulnerability to get down a spam engine, so basically my server was a spam server, analyzing the attack it seen he doen's get root, but i'm not sure about it, so i'll reinstall the entire system. By the way to stop this kind of attack, i think the easiest way is to restrict the "wget" command so only root can use it, that way they can't down load the spam engine. That should work assuming they don't get root power. This was not a hack for fun, they was professional spammer ( Brazilians i think ), the mail they send was a fake "terra music" with a link to listen a "song", the song was a ".com" file which i could not analyze because was remove it from the server when i check. Thanks again. -- Marcel Mourguiart
On Friday 21 April 2006 09:34, Marcel Mourguiart wrote:
Do you know where i can get the rpm for apparmor ( suse 10.0 ) ??
Hi Marcel, It was installed automatically on my 10.0 system and has it's own entry in my YaST2 Control Center main menu. regards, Carl
participants (6)
-
Carl Hartung
-
Carl-Daniel Hailfinger
-
Eberhard Moenkeberg
-
jdd
-
Marcel Mourguiart
-
Tim Harper