Hi Luis:
thanks.
Did you check to see whether /usr/sbin/apache2 was modified? Or was it
only the running process that had somehow been stack-overflow'd?
I checked the apache using debsums seems ok.
shopping:/usr/sbin# debsums apache2-mpm-prefork
/usr/sbin/apache2 OK
/usr/share/doc/apache2-mpm-prefork/NEWS.Debian.gz OK
/usr/share/doc/apache2-mpm-prefork/copyright OK
/usr/share/doc/apache2-mpm-prefork/changelog.gz OK
/usr/share/doc/apache2-mpm-prefork/changelog.Debian.gz OK
How can I check a process being stack-overflowed or not?
IMHO, I'd declare this box as "compromised" and redo the whole thing.
Copy all data to a new box and install tripwire (or something of that
sort), plus follow the Debian security manual to the last bit, before
putting the box online again.
will do. I had tripwire turned on before, it seems quite slow. so I turned it off.
A few links:
http://www.debian.org/doc/manuals/securing-debian-howto
http://wiki.debian.org/SELinux/Setup
http://wiki.debian.org/Hardening|Hardening
great links.
I know that you already had SELinux enabled (after the fact?). So, you
might already have enough information to build a better box.
Yah, it is a after the fact action. but I have those parameters for SELinux, some lib/apps need that. which may not safe,
allow_execstack --> on
allow_execmem --> on
allow_execmod --> off
allow_execheap --> off
if the allow_execstack was off and the application was stack over-flowed, will over-flowed code be constrained by SELinux?