D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Linux Security and apache

 

Tom Brough wrote:
>
> Friday was bad day for me. For the first time my confidence in Linux has
> been smashed. Not only was apache compromised (possibly because it was
> version 2.0.40, and couldnt be patched (easily) because of our wonderful
> proxy config that requires lan man hashes for authentication ). However
> what really nocked me for six was the fact that once they had
> compromised apache, they installed a root kit somehow.

Do you know that Apache was compromised?

Or was a site on the server was compromised.

These days a lot of PHP applications are being targeted (mostly due to
poor legacy practices in the PHP community - last web designer we had
asking about PHP script support, had clearly come from an environment
where "enable globals" is the default still <sigh>, people writing PHP
code really ought to know why it isn't the default any more (obvious as
it is)). Experience here is that it is far more likely to be the web
applications, than Apache itself, was targetted. Purely because we see
regular attacks against many common web applications, but few targetting
Apache itself.

Bit concerned you still using lan man hashes, isn't that from the days
of Windows 3.x?

A proxy server was accepting connections from the Internet?

> I was under the false impression that because of the way linux kernel
> was designed that only the user (in this case apache) running the
> application could be compromised and not the whole "system".

It does. The chances are they used a known "privilege escalation"
exploit to acquire root privileges. Experience is that most of these are
known to the good guys by the time they are used, and proactive patching
shuts those down most of the time.

However in all but the leanest, and tightest of systems, it is likely
given time someone with shell (or equivalent) access will find a way to
root. The only way to spot that is log files, file system monitoring,
and possibly intruder detection systems.

One of my old mates is a security guru, once said he'd never seen a Unix
box on which he couldn't find a way to escalate privileges from a shell
account to a root account, and he was a "good guy" (well if we ignore a
small run-in with Nottinghamshire Constabulary). He even admitted this
applied to all his own servers, although it was taking him longer and
longer to hack his own server each time, I don't think it ever took him
more than a weekend to go from nothing to root (it was a University, so
he could watch students typing their passwords in all weekend to get him
started).

> So my question is what makes Linux more secure that Windows ? 

"More" is the primary word here. Security is a process, and believe me
the guys at work are still finding bits and pieces of rootkits in their
Windows temporary folders and elsewhere with no clue what happened,
routinely. Okay most of these are probably failed attempts, but it ain't
pretty on the other side of the fence either.

Trust me if you were still running W2K, and IIS 5 unpatched with the
same applications, from the same period as this version of Apache
(August 2002), you'd probably have been compromised a long time ago.

I've only seen one of the Linux boxes I've ever worked with running any
unauthorised code, and the main part of that infection occurred before I
was the administrator for it.

When our box was compromised they were kind enough to leave the source
code of the utility they used to acquire root privilege, and yes it was
a known exploit, and long fixed by Redhat at the time the box was owned.

> been altered and "hidden" to stop me erasing  / replacing them as root
user.

Don't even bother. Just disconnect it from the network.

Ideally replace it with a clean and well patched server. Failing that
grab the log files, and anything left of the root kit for analysis, and
reformat and reinstall. But do try and figure out how they got in to
avoid simple repetition.

The rootkits are insidious, and you can never know precisely what was
altered. Removing malware, rather than reinstalling, is only done in the
Windows environments because most Windows admin don't know better. These
days most people have finally learnt the lesson. It is tempting to think
it will save time, but generally it is better to have a well reheared
reinstall from backup.

As we say security is a process. Redhat have been opening up more clear
blue water in the security front between themselves and Microsoft, with
SELinux being integrated into Fedora core 4. But these benefits only
accrue to those who have kept the software uptodate.

--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html