[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Tom Brough wrote: > > Friday was bad day for me. For the first time my confidence in Linux has > been smashed. Not only was apache compromised (possibly because it was > version 2.0.40, and couldnt be patched (easily) because of our wonderful > proxy config that requires lan man hashes for authentication ). However > what really nocked me for six was the fact that once they had > compromised apache, they installed a root kit somehow. Do you know that Apache was compromised? Or was a site on the server was compromised. These days a lot of PHP applications are being targeted (mostly due to poor legacy practices in the PHP community - last web designer we had asking about PHP script support, had clearly come from an environment where "enable globals" is the default still <sigh>, people writing PHP code really ought to know why it isn't the default any more (obvious as it is)). Experience here is that it is far more likely to be the web applications, than Apache itself, was targetted. Purely because we see regular attacks against many common web applications, but few targetting Apache itself. Bit concerned you still using lan man hashes, isn't that from the days of Windows 3.x? A proxy server was accepting connections from the Internet? > I was under the false impression that because of the way linux kernel > was designed that only the user (in this case apache) running the > application could be compromised and not the whole "system". It does. The chances are they used a known "privilege escalation" exploit to acquire root privileges. Experience is that most of these are known to the good guys by the time they are used, and proactive patching shuts those down most of the time. However in all but the leanest, and tightest of systems, it is likely given time someone with shell (or equivalent) access will find a way to root. The only way to spot that is log files, file system monitoring, and possibly intruder detection systems. One of my old mates is a security guru, once said he'd never seen a Unix box on which he couldn't find a way to escalate privileges from a shell account to a root account, and he was a "good guy" (well if we ignore a small run-in with Nottinghamshire Constabulary). He even admitted this applied to all his own servers, although it was taking him longer and longer to hack his own server each time, I don't think it ever took him more than a weekend to go from nothing to root (it was a University, so he could watch students typing their passwords in all weekend to get him started). > So my question is what makes Linux more secure that Windows ? "More" is the primary word here. Security is a process, and believe me the guys at work are still finding bits and pieces of rootkits in their Windows temporary folders and elsewhere with no clue what happened, routinely. Okay most of these are probably failed attempts, but it ain't pretty on the other side of the fence either. Trust me if you were still running W2K, and IIS 5 unpatched with the same applications, from the same period as this version of Apache (August 2002), you'd probably have been compromised a long time ago. I've only seen one of the Linux boxes I've ever worked with running any unauthorised code, and the main part of that infection occurred before I was the administrator for it. When our box was compromised they were kind enough to leave the source code of the utility they used to acquire root privilege, and yes it was a known exploit, and long fixed by Redhat at the time the box was owned. > been altered and "hidden" to stop me erasing / replacing them as root user. Don't even bother. Just disconnect it from the network. Ideally replace it with a clean and well patched server. Failing that grab the log files, and anything left of the root kit for analysis, and reformat and reinstall. But do try and figure out how they got in to avoid simple repetition. The rootkits are insidious, and you can never know precisely what was altered. Removing malware, rather than reinstalling, is only done in the Windows environments because most Windows admin don't know better. These days most people have finally learnt the lesson. It is tempting to think it will save time, but generally it is better to have a well reheared reinstall from backup. As we say security is a process. Redhat have been opening up more clear blue water in the security front between themselves and Microsoft, with SELinux being integrated into Fedora core 4. But these benefits only accrue to those who have kept the software uptodate. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html