 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev- | Prev- | Debian- | Mar- | Next- | Next- |
| Subject: | Re: security issues with apache! |
| Group: | Debian-security |
| From: | Josep Serrano |
| Date: | 7 Mar 2006 |
The actual list for security issues is debian-security. The address of this list its
on the CC. We can now leave debian-user and switch our discussion into
debian-security.
This is quite hole! Can't believe there's such a big spot in Apache / Sarge and we
didn't heard of it. Can you please share more details with us?
Give us your current package versions of apache (using dpkg -s for example). If you
suspect the installation could be compromised run a test on the checksums.
Your access logs could contain precious information. Have a look at them and post to
the list any significant parts (removing any ip/host address you don't want to get
published).
We still don't know for what do you use your apache. Most of the problems come from
poor PHP scripts. What scripts/services are you running in this server?
Can you post a sample of your netstat, your list of process for user www-data, and a
sample of the files you find in your /tmp ?
Regards,
Josep SERRANO
> Hi
>
> I'm not completely new to Debian or Linux, but I wouldn't classify
> myself as a battlescarred sysadmin just yet :)
>
> Anyways. My problem is security-related, and I hope that I'm posting to
> the correct list as well as hoping that someone can help me out here.
>
> Recently I've noticed that my Apache-installation gets violated and that
> an intruder somehow manages to put stuff in /tmp and /var/tmp. Then it
> makes Apache execute these. Unfortunately these are some rather nasty
> things, mostly portscanners and bruteforce-attacks. They are all easily
> detected with netstat, and at least once a day I have to go in and kill
> the processes spawned by www-data (the user that runs Apache) as well as
> delete the offending files.
>
> Now, like I said - I'm not a pro, I'm trying to learn by doing.
> Unfortunately how this happens is way over my experience, and now I
> could really use some help in fixing this leak. I've narrowed it down to
> Apache only, but I have no clue as to how to seal the leak. I'm running
> a small server in my home using (mostly) Debian Sarge. This is a real
> Frankenstein-machine as it was originally a Woody-box, but it's been
> upgraded with bits from all over. It's been running pretty much
> constantly for three years. Of course I apply security fixes when they
> arrive, but I don't know if the source of these intrusions is Apache or
> just that I have managed to fubar some setting somewhere, allowing an
> attacker to make Apache execute code.
>
> Essentially the machine is Debian Sarge, with MySQL and PHP4. There are
> other services running on it, but I've noticed that the
> intrusions/code-executions only happen through Apache. MySQL only
> listens on localhost and accepts no connections from the outside. Hence,
> I hope that this is limited to Apache. Apache is 1.3.x, MySQL 4.0.24 and
> PHP 4.3
>
> I deeply appreciate any help that can make me seal this leak! Thank you
> all in advance!
>
> /petter senften
>
--
To UNSUBSCRIBE, email to debian-security-REQUEST
with a subject of "unsubscribe". Trouble? Contact listmaster
| Prev- | Prev- | Debian- | Mar- | Next- | Next- |