Security Experts, help, what is this (bad stuff)?

Mungo spilled the following:

>
> 2. Every damn time I have seen r0nin it got in through one of the
> many php fiascos (phpNuke and phpBB come to mind most often). They keep
> patching php and new php exploits keep appearing. The old r0nin used to
> look for the do_brk() exploit in the kernel. Your r0nin seems larger than
> the one I last saw. Maybe I remember wrong. I didn't have the time to
> open it. Maybe one of the disassembly boys in the group can look at it.
>

Bit unfair on PHP IMHO; there have been relatively few security patches in
PHP itself (I think the last major issue was the safemode thing, fixed in
4.1), a few more in the support libraries (the exif thing recently).
Admittedly there tend to be a lot of vulnerabilities in packaged PHP
applications like phpBB, postNuke becuase they are poorly implemented.

C.

"prg" <rdgentry1@cablelynx.com> wrote in news:1114882015.046776.295150
@l41g2000cwc.googlegroups.com:

> You might want to email the 4 above and offer some info, eg.,
> BadStuff.tgz;)
>
> Good that you did not ignore this like some folks would have.
>
> regards,
> prg

Yes, I sure will. Cannot ignore this one, it is rampant. The tgz file
that I submitted to the newsgroup was where the running process was
found. There was other nasty stuff in /var/tmp, and redhat really does
not use /var/tmp so all of it was bad. Also found many files owned by
apache that were bad in /tmp. This system is shot to hell. I was going to
wait until next week, Saturday, to do this as that is when I have off
from work and my wife is working, e.g.: she won't bitch that the network
is down all day. Since this is way too serious, I have already downloaded
the FC3 disc set and am off to CompUSA this minute to get a 200+ Gb hard
drive to do a fresh install, today, of FC3.

Since I believe that this all started with phpbb, I will not use that in
the future anymore. Will have to find a new way, and will also get up a
real hard firewall. Would like something that I can administer with a
front end, shorewall has a plugin for webmin, might use that. I need to
get NAT up right away so that the wife can surf while I work on the other
stuff.

This is really great stuff, thank you so much prg. This is the kind of
help that I really need and will get to work right now. Appreciate the
actual, helpful advice and that you did not give me the "get it off the
netm NOW" advice with little or nothing else to actually address the
issues at hand. The machine will be gone today, only running it now as a
gateway with firewall locked pretty tightly down and no servers or mail
service at all. Will be back later on or in the next few days to show the
group what progress I made. You guys really helped a lot, thank you all
very much.

Good day.
--
~Ohmster
ohmster at newsguy dot com

Colin McKinnon <colin.thisisnotmysurname@ntlworld.deletemeunlessu rabot.com> wrote:

> Bit unfair on PHP IMHO; there have been relatively few security patches in
> PHP itself (I think the last major issue was the safemode thing, fixed in
> 4.1), a few more in the support libraries (the exif thing recently).
> Admittedly there tend to be a lot of vulnerabilities in packaged PHP
> applications like phpBB, postNuke becuase they are poorly implemented.

I think the biggest problem is that most distros ship a default php.ini
that's wide open for developers' convenience, but people fail to realise
that such trusting configurations are not intended for deployment.

On Sun, 01 May 2005 17:21:52 +0000, Ohmster wrote:

> "prg" <rdgentry1@cablelynx.com> wrote in news:1114882015.046776.295150
> @l41g2000cwc.googlegroups.com:
>
>> You might want to email the 4 above and offer some info, eg.,
>> BadStuff.tgz;)
>>
>> Good that you did not ignore this like some folks would have.
>>
>> regards,
>> prg
>
> Yes, I sure will. Cannot ignore this one, it is rampant. The tgz file
> that I submitted to the newsgroup was where the running process was
> found. There was other nasty stuff in /var/tmp, and redhat really does
> not use /var/tmp so all of it was bad. Also found many files owned by
> apache that were bad in /tmp. This system is shot to hell. I was going
> to wait until next week, Saturday, to do this as that is when I have off
> from work and my wife is working, e.g.: she won't bitch that the network
> is down all day. Since this is way too serious, I have already
> downloaded the FC3 disc set and am off to CompUSA this minute to get a
> 200+ Gb hard drive to do a fresh install, today, of FC3.
>
> Since I believe that this all started with phpbb, I will not use that in
> the future anymore. Will have to find a new way, and will also get up a
> real hard firewall. Would like something that I can administer with a
> front end, shorewall has a plugin for webmin, might use that. I need to
> get NAT up right away so that the wife can surf while I work on the
> other stuff.
>
> This is really great stuff, thank you so much prg. This is the kind of
> help that I really need and will get to work right now. Appreciate the
> actual, helpful advice and that you did not give me the "get it off the
> netm NOW" advice with little or nothing else to actually address the
> issues at hand. The machine will be gone today, only running it now as a
> gateway with firewall locked pretty tightly down and no servers or mail
> service at all. Will be back later on or in the next few days to show
> the group what progress I made. You guys really helped a lot, thank you
> all very much.
>
> Good day.

He did give you good help, and others also did and took their time to read
and answer with good advice (which it seems you did finally accept). ;-)
I'm glad you are getting your system back together and wish you well.

I think you are misguided if you think you have any right to be offended
when anyone tells you to take a compromised system offline. It's really
pretty fundamental that you have a responsibility to other users to keep
your systems secure and avoid harming them. You have no way of knowing
how many other users were injured in the time that you selfishly refused
to disconnect, or how much damage may you caused during that time period.
That was your choice, but it was not right and you should not have assumed
it was your right to leave it connected. Hope you do better next time.

Newsbox <nospam_for_me_please@thanks.invalid> wrote in
news:Ic2dnYTl6a280-jfRVn-ow@acadia.net:

> He did give you good help, and others also did and took their time to
> read and answer with good advice (which it seems you did finally
> accept). ;-) I'm glad you are getting your system back together and
> wish you well.
>
> I think you are misguided if you think you have any right to be
> offended when anyone tells you to take a compromised system offline.
> It's really pretty fundamental that you have a responsibility to other
> users to keep your systems secure and avoid harming them. You have no
> way of knowing how many other users were injured in the time that you
> selfishly refused to disconnect, or how much damage may you caused
> during that time period. That was your choice, but it was not right
> and you should not have assumed it was your right to leave it
> connected. Hope you do better next time.

This is the third time that I began a lenghtly response to newsbox and
the third time that I cancelled it before finishing or sending it. It
will become long, drawn out, and off topic for the newsgroup. Just not
going to get drawn into this, IMHO, "OT discussion". I came here for spam
and security help, I got it, I am appreciative, and I am saying thanks,
to everyone, including newsbox. ;>)

Just take it for what it is, "sincere thanks".
--
~Ohmster
ohmster at newsguy dot com

On Sun, 01 May 2005 22:17:35 GMT,
Ohmster (notareal@emailaddress.com) wrote:
> This is the third time that I began a lenghtly response to newsbox and
> the third time that I cancelled it before finishing or sending it. It
> will become long, drawn out, and off topic for the newsgroup. Just not
> going to get drawn into this, IMHO, "OT discussion". I came here for spam
> and security help, I got it, I am appreciative, and I am saying thanks,
> to everyone, including newsbox. ;>)
>
> Just take it for what it is, "sincere thanks".

Ohmster - the last suggestion I have is, if you're running mission
critical services on your server, keep a backup server offline that
is uptodate with whatever security patches are available for your
OS. This is not as expensive as it sounds (especially with x86
hardware). The backup server doesn't need the same robust hardware
in your primary server. It's job is just to give you a little time
to fix your primary server.

If you aren't running mission critical services, then be less
recalcitrant to pull the plug. I think that Rick Moen wrote a really
nice article in response to your post, describing his own experience,
and how long it took him to get back online. Keeping in mind
that Rick is an expert on Linux security, I think his approach
is worth giving serious consideration to.

Beverly
--
Many a smale maketh a grate -- Geoffrey Chaucer

On Sun, 01 May 2005 22:17:35 +0000, Ohmster wrote:

> Newsbox <nospam_for_me_please@thanks.invalid> wrote in
> news:Ic2dnYTl6a280-jfRVn-ow@acadia.net:
>
>> He did give you good help, and others also did and took their time to
>> read and answer with good advice (which it seems you did finally
>> accept). ;-) I'm glad you are getting your system back together and
>> wish you well.
>>
>> I think you are misguided if you think you have any right to be
>> offended when anyone tells you to take a compromised system offline.
>> It's really pretty fundamental that you have a responsibility to other
>> users to keep your systems secure and avoid harming them. You have no
>> way of knowing how many other users were injured in the time that you
>> selfishly refused to disconnect, or how much damage may you caused
>> during that time period. That was your choice, but it was not right and
>> you should not have assumed it was your right to leave it connected.
>> Hope you do better next time.
>
> This is the third time that I began a lenghtly response to newsbox and
> the third time that I cancelled it before finishing or sending it. It
> will become long, drawn out, and off topic for the newsgroup. Just not
> going to get drawn into this, IMHO, "OT discussion". I came here for
> spam and security help, I got it, I am appreciative, and I am saying
> thanks, to everyone, including newsbox. ;>)
>
> Just take it for what it is, "sincere thanks".

Your thanks are accepted with a "you are welcome". ;/

Anything that you feel you need to say that is related to security is not
"off topic" and can be posted here.

Whatever you feel you need to say to me personally, or you think is
personal or off-topic you can e-mail to me (remove the white spaces and
interpret the "at"'s) at n e w s b o x a t c u s t o m e r s - o f - a d e
l p h i a d o t o r g

..
I may repost anything you send me right back here, or not.

Too bad you had to try three tines to say what you wanted. If this were
real time, well, well,well,well,well,well,well,well,...

Newsbox <nospam_for_me_please@thanks.invalid> wrote in
news:oJCdnYpON6U0R-jfRVn-tg@acadia.net:

> Your thanks are accepted with a "you are welcome". ;/

>
> Too bad you had to try three tines to say what you wanted. If this
> were real time, well, well,well,well,well,well,well,well,...

;>)

--
~Ohmster
ohmster at newsguy dot com

Bev A. Kupf wrote:
> Ohmster - the last suggestion I have is, if you're running mission
> critical services on your server, keep a backup server offline that
> is uptodate with whatever security patches are available for your
> OS. This is not as expensive as it sounds (especially with x86
> hardware). The backup server doesn't need the same robust hardware
> in your primary server. It's job is just to give you a little time
> to fix your primary server.
This is excellent advice for anyone running mission critical services.
In fact I keep two mirrored systems ready, that way I can take the
primary system down for maintenance etc. and it only takes me two or
three minutes to switch from one system to another. With two mirrors I
still have a backup even when I'm doing maintenance on one system.

As you said with x86 systems being given away it is pretty easy to have
a couple of spares. I just got 60 computers from a big company that
upgraded their systems and needed somewhere to 'throw' the old systems.
I take the systems and wipe the hard drives and install a fresh Linux
system on them. I donate a lot of the computers to churches and private
schools, and keep a couple for myself. I send the original company a
letter on my company letter head saying that the systems have been wiped
clean and a new Open Source OS installed. They are happy and about 55
people who could not afford a computer have one with an Open Source OS
on it.

In comp.os.linux.security Barton L. Phillips <bartonphillips@sbcglobal.net>:
> Bev A. Kupf wrote:
>> Ohmster - the last suggestion I have is, if you're running mission
>> critical services on your server, keep a backup server offline that
>> is uptodate with whatever security patches are available for your
>> OS. This is not as expensive as it sounds (especially with x86
>> hardware). The backup server doesn't need the same robust hardware
>> in your primary server. It's job is just to give you a little time
>> to fix your primary server.
> This is excellent advice for anyone running mission critical services.
> In fact I keep two mirrored systems ready, that way I can take the
> primary system down for maintenance etc. and it only takes me two or
> three minutes to switch from one system to another. With two mirrors I
> still have a backup even when I'm doing maintenance on one system.

You could alternatively setup two or more of them as LVS cluster,
if the services you are providing are running with LVS, common
services like http and alike work.

> As you said with x86 systems being given away it is pretty easy to have
> a couple of spares. I just got 60 computers from a big company that
> upgraded their systems and needed somewhere to 'throw' the old systems.
> I take the systems and wipe the hard drives and install a fresh Linux
> system on them. I donate a lot of the computers to churches and private
> schools, and keep a couple for myself. I send the original company a
> letter on my company letter head saying that the systems have been wiped
> clean and a new Open Source OS installed. They are happy and about 55
> people who could not afford a computer have one with an Open Source OS
> on it.

Sounds great + noble! Would be interesting to know, how many of
them are happily used with Linux on them and which percentage
will be wiped and installed with some illegal doze copy?

What kind of distro do you install? What about support, do those
people get rootly powers or any other help? What about updates,
presuming most people will connect them to the internet?

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 334: 50% of the manual is in .pdf readme files