Re: chkrootkit has me worried!

To: debian-security@lists.debian.org
Subject: Re: chkrootkit has me worried!
From: Rick Moen <rick@linuxmafia.com>
Date: Tue, 29 Nov 2005 11:21:12 -0800
Message-id: <[🔎] 20051129192112.GK30072@linuxmafia.com>
In-reply-to: <[🔎] dmhjk6$54p$1$8302bc10@news.demon.co.uk>
References: <[🔎] dmglo4$81r$1$8300dec7@news.demon.co.uk> <[🔎] dmhjk6$54p$1$8302bc10@news.demon.co.uk>

Quoting kevin bailey (kbailey@freewayprojects.com):

> what with it being several different symptoms i tend to think this is not a
> false positive.

Concur.

> cause:
> 
> this is an old server which has been running for 4 years.

If such an old server is maintained and administered properly, and if 
you doesn't get unlucky and suffer compromise because a remote user's 
login credentials were stolen elsewhere, then host age alone is not 
a problem.

> i have tried out lots of different things on this server and have made the
> mistake of leaving unnecessary services running.

Whoops.  That is a risk factor.

> in this case i think that webmin was running the miniserv.pl server and this
> had a security warning issued for the version i had.

Yes.  Be aware that many CGI-based services are just plain risky on
account of bad implementation (e.g., failure to validate input), and
that the security team can't save you from this.  Only alert and
cautious system administration can.

> it doesn't seem to have been fixed in the debian security fixes - i'll
> contact debian RE this.

So, here's my favourite example of the "bad implementation" problem:
AWstats.  It's had a long history of:

o  Someone finds yet another way its stats-generating CGI can be subverted by
   sending it aberrant URL information from the public.
o  The upstream maintainer issues an update.
o  Debian issues a new package.
o  An exploit emerges and gets rolled into automated attack tools.
o  Lather, rinse, repeat.

If you look more closely at AWstats, you might start to wonder:  "I
guess the author never quite got input validation right.  But why 
does it have to run as a CGI (awstats.pl) in the first place?  Can't it
run as a cronjob, instead, generating the same stats page as static HTML
every hour, instead?"

And you'd be right to wonder.  That's a solved problem, thanks to Steve
Kemp over at debian-administration.org:
http://www.debian-administration.org/articles/85

I keep meaning to file a very polite bug with Debian maintainer Jonas
Smedegaard, suggesting that static-page mode be the default since
upstream's CGI default is (in my opinion) too risky, but I haven't done
that yet.

> also - very luckily - no data on the server has been damaged.  it seems to
> spawn lots of hidden processes and has had to be rebooted to get it under
> control again.

With respect, you have rather little reason to believe that you yet have
control.  Since it is highly likely that your site was root-compromised,
your best course of action is to rebuild with the same data files but
entirely fresh software from trusted media, avoiding direct reuse of any
of your existing configuration files or user dotfiles.

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

> main points learnt.
> 
> make sure you have snapshot backups going back months.
> 
> regularly run chkrootkit and get the server to email the results to you.

chkrootkit is useful (as is rkhunter) as a last-gasp doublecheck to
increase your confidence that your other security precautions have
worked.  It's a "canary".  However, it had better not be used in place
of those precautions, or you're already in trouble.  Let's use an
analogy from public health:

chkrootkit is the blood test that informs you that you have a case of
amoebic dysentary.  Your suggestion amounts to "Well, then I mostly need
bloodwork done every few months.  Never mind that bit about being
careful about eating raw shellfish caught near sewage outfalls and
eating in restaurants with questionable sanitary practices."

The Debian security team is your county's restaurant inspectors.
AWstats's default CGI-generated mode is that bucket of raw oysters.  

> but mainly only run required services - and check them closely - and don't
> rely on your distro to incorporate every single security patch required for
> your server.

Right, and remember that the health inspectors can't guarantee every
oyster -- and that fugu from a reputable restaurant can still kill you.

(I hope you don't mind if I publish our correspondence in Linux Gazette,
http://linuxgazette.net/ .)

-- 
Cheers,             
Rick Moen                 "Anger makes dull men witty, but it keeps them poor."
rick@linuxmafia.com                                   -- Elizabeth Tudor

Reply to:

Follow-Ups:
- Re: chkrootkit has me worried!
  - From: Geoff Crompton <geoff.crompton@strategicdata.com.au>

References:
- chkrootkit has me worried!
  - From: kevin bailey <kbailey@freewayprojects.com>
- Re: chkrootkit has me worried!
  - From: kevin bailey <kbailey@freewayprojects.com>

Prev by Date: Re: chkrootkit has me worried!
Next by Date: Re: chkrootkit has me worried!
Previous by thread: Re: chkrootkit has me worried!
Next by thread: Re: chkrootkit has me worried!
Index(es):
- Date
- Thread