Marcel Mourguiart schrieb:
On 4/20/06, jdd
wrote: Marcel Mourguiart wrote:
Hi, i have a web server with suse 10 ( php, apache, postnuke, etc ). My connection has been stop because MY server is making DDOS attacks
Then i read this: http://blogs.zdnet.com/threatchaos/?p=310
Is there a patch, link or what ever you can give me to resolf the poblem ??
Sorry if this not the appropriate list, i'm just desperate.
the best way should be to update your php version with YOU, or if this is not sufficient directly from the php site.
I'm sure this bug is already fixed.
I have every thing updated with YOU.
Carl: I'll subscribe to "suse-segurity" and i'm aware this is not a suse specific bug or a linux one, is probably a php bug, which make the problem just harder to resolve.
Any way if some body know the specific problem with PHP or have a clue, i'll be happy to heart.
Did you write some PHP code yourself? Do you use "safe mode"? There are many things that can go wrong. The way I would recover from such a situation if I had not explicitly secured the machine before: 1. Are there any passwords on this server which are also used elsewhere? Change these passwords (only!) at the other locations. 2. Same for SSH keys. 3. Same for VPN keys. 4. Did you log into any machine from the compromised server? That machine is likely also compromised. 5. Log into the server via SSH (but make sure to disable agent forwarding). 6. Is the server physically accessible? If yes, goto 7. Else goto 11. 7. Suspend-to-disk. 8. Boot from a live DVD. 9. Make an image of the whole hard drive and copy it to another machine for later inspection. 10. Resume into the compromised installation. 11. Do you want to learn more, but risk to lose some forensic data? If yes, goto 12. Else goto 18. 12. kill -STOP everything except the master sshd, your session sshd and you session bash. 13. Change the sshd configuration to only accept pubkey authentication and only accept connections from an IP address only you can use. 14. Restart sshd. 15. Check whether there are any non-stopped processes besides the ones mentioned in step 11. If there are any, kill -STOP them. 16. Change the root password. 17. Backup all filesystems to another computer (do NOT login to the other computer from the compromised machine, login to the compromised machine FROM the other computer instead). 18. echo 1 > /proc/sys/kernel/sysrq 19. echo s > /proc/sysrq-trigger 20. echo u > /proc/sysrq-trigger 21. echo b > /proc/sysrq-trigger 22. Boot from readonly installation media. 23. Back up all data to another machine 24. Format and reinstall. 25. Run all updates. 26. Install and use tripwire. 27. Configure AppArmor or SELinux and learn to use it. 28. Restore your configuration from a known clean state. 29. Stop here unless you want to perform forensic analysis. 30. Make two copies of all data you gathered, at least one to readonly media to prevent accidential deletion. 31. Begin forensic analysis on a writable copy of your data. First step suggested is a diff between last known clean state and current state. Regards, Carl-Daniel -- http://www.hailfinger.org/