Re: phpBB vulnerability exploited

To: "Francesco P. Lovergine" <frankie@debian.org>
Cc: debian-isp@lists.debian.org
Subject: Re: phpBB vulnerability exploited
From: "Lucas Albers" <albersl@cs.montana.edu>
Date: Tue, 11 Jan 2005 22:08:43 -0700 (MST)
Message-id: <[🔎] 3907.209.137.237.154.1105506523.squirrel@webmail.cs.montana.edu>
Reply-to: albersl+debianAZF031104@cs.montana.edu
In-reply-to: <20041213135741.GA21866@ba.issia.cnr.it>
References: <362368499.20041212234642@onee.sk> <200412122217.20006.fraser@georgetown.wehave.net> <20041213114441.24747.qmail@pechkin.minfin.bg> <20041213135741.GA21866@ba.issia.cnr.it>

Francesco P. Lovergine said:

> I run apache using dchroot to avoid the most common problems.
> Breaking a chroot is possible, but not so easy and it's more
> difficult within dchroot which _should_ drops privileges properly AFAIK.
> I do that commonly for hosting services where users can run their own
> php and cgi scripts. That cannot avoid creating shells services, surely
> but avoid password cracking, use of cron, access to kernel modules
> and log files, and so on.

I had one of our machines cracked by this exploit.
Further Mitigation:
Running a security hardened kernel and a full input/output blocking
iptables script prevented further exploit.
I use both these options in a grsec vserver hardened kernelt to prevent
exploit and make it trivial to restore a system if it get's cracked.
Here is a sample iptables hardening script, for grins and giggles for a
webserver...
 (see below...let me know if you see any obvious improvements.)
Run the bastille tmpsetter program to create a random tmp and temp
variable for each process in a subdirectory of /tmp, therefore preventing
another process even of the same user from accessing a file that was
uploaded.

Can you mount a directory such as /tmp with noexec or similar options if
it is not a seperate partition?

h=153.90.xxx.xx
IPT=/sbin/iptables
eth=eth0
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i eth0 -s ! adminhost -m state --state NEW -m tcp -p
tcp --dport 22 -j REJECT
iptables -A INPUT -i eth0 -s ! backuphost  -m state --state NEW  -m tcp -p
tcp --dport rsync -j REJECT


iptables -A INPUT -i eth0 -s DNS1 -m udp -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -d DNS1 -m udp -p udp --dport 53 -j ACCEPT

iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80:443 -j ACCEPT

iptables -A INPUT -i eth0  -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -o eth0  -j REJECT --reject-with icmp-port-unreachable
#include outgoing web traffic to apt-proxy server for apt-get updates...

-- 
--Luke CS Sysadmin, Montana State University-Bozeman

Reply to:

Prev by Date: Re: [OT] Backup on DLT (recommandation)
Next by Date: Re: phpBB vulnerability exploited
Previous by thread: Re: suexec permissions
Next by thread: Re: phpBB vulnerability exploited
Index(es):
- Date
- Thread