Current time: 11-22-2024, 11:44 PM Hello There, Guest! (LoginRegister)


Post Reply 
[SOLVED] Security Concerns
Author Message
nuke3d Offline
Junior Member
*

Posts: 107
Joined: Sep 2007
Reputation: 1
Post: #1
[SOLVED] Security Concerns
A while ago I've found a folder called ".X08-unix" in my /tmp dir, it contained a variety of exploit and flooding scripts, as well as the source code of an IRC bot. There was also an executable called "sh" that was running and all it did was to try to connect to "some_ip":6667 all the time.

So someone managed to upload all these files into my /tmp dir, and then run an executable. All that was apparently done with the user "vu2000".
Using the process running time (etime) I got an aproximate date of when the intrusion took place, so I ran trough all the logfiles in /var/log looking for hints on how this could have happened, but there was nothing suspicious besides the occasional and normal bruteforce attempts scanning for phpmyadmin and similar stuff.

vu2000 only runs ispCP and RoundCubewWebmail, so the security flaw has to be in one of these two scripts.

I'm using ispCP RC6 on a fully updated debian etch. The only modification I've done (as far as I remember) was to add /tmp to the open_basedir in the php.ini (this probably enabled the attacker to write to /tmp, but removing that wouldn't solve the problem, as there is still the phptmp dir).

Does anyone have another idea on how I could find ou how it happened?
(This post was last modified: 02-04-2009 10:21 PM by BeNe.)
02-03-2009 12:46 AM
Find all posts by this user Quote this message in a reply
pgentoo Offline
Member
*****
Dev Team

Posts: 326
Joined: Mar 2007
Reputation: 0
Post: #2
RE: Security Concerns
Roundcube has recently had some exploits which were used to do such things. THis happened on one of my customers VM's. We did the following, and haven't had problems since.

You can harden php settings a bit to limit this, there is plenty of info online about this. Usually involves disabing a few mothods, etc.

Also remove links,lynx,wget,curl access from normal users (chown root:root, chmod 700), to make it harder for them to get the binary to your server.

Further more, you can mount your /tmp with "noexec,nosuid". This will block any stuff that is uploaded to /tmp from being executed by the script. This is good to have regardless.

Protecting against stuff like this is an ongoing process, and needs constant attention. Setting up active monitoring of your systems (notification when things are "strange"), will let you respond to and fix these types of issues.

Also look into installing mod_security, and setting up a basic set of rules to protect against common exploit types. Note that using ALL the rules, will break lots of sites, so pick and choose what you use...

I hope that helps,

-
pGentoo
02-04-2009 08:36 AM
Find all posts by this user Quote this message in a reply
nuke3d Offline
Junior Member
*

Posts: 107
Joined: Sep 2007
Reputation: 1
Post: #3
RE: Security Concerns
Thanks a lot for your suggestions, pgentoo! I have already disabled some stuff since the attack, and I think it should not be possible to repeat it...
I'll update roundcube then, and disabling some executables seems to be a good idea as well...
02-04-2009 07:50 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)