Re: Linux hardening

From: Sagiko (sagiko_at_gmail.com)
Date: 08/23/05

  • Next message: paavan shah: "linux password cracking tools"
    Date: Tue, 23 Aug 2005 09:47:58 +0800
    To: AragonX <aragonx@dcsnow.com>
    
    

    hi,
    We had some similar cases before which the hackers installed irc bot
    to /tmp. Besides /tmp, "/var/tmp" and any other globally writable
    directory are possible target for the intruders to download their
    gadget.

    I believe the root for the intrusion is very likely the web
    applications running on your server, especially those cgi scripts, be
    it php or perl. Also check the user rights of your web directories.
    Besides disable wget and curl, you should also disable local compilers
    (c and c++ at least) or limit it to root user only. Check your apache
    http access and error logs, you will find a lot of clues and even the
    specific vulnerable scripts.

    regards,
    Rick

    On 8/23/05, AragonX <aragonx@dcsnow.com> wrote:
    > <quote who="Sean Finkel">
    > > I would recommend also securing /tmp (and /var/tmp). Mounting it noexec
    > > and nosuid is a good step to take. As well, I modified my local wget and
    > > curl programs to *not* download to /tmp or /var/tmp, as no legitimate
    > > use for the program (on my servers) will be downloading files to these
    > > locations. As well, these two programs are commonly used in web script
    > > attacks to retrieve a remote file and execute it.
    >
    > Thank you for the reply. I believe this is exactly what happened to me.
    > I found some binaries in the /tmp directory.
    >
    > > As well, install and run regularly (via cron) chkrootkit and rootkit
    > > hunter. You should not rely solely on these programs, but they provide a
    > > nice check that can assist you in finding some of the more common and
    > > known intrusions/rootkits.
    >
    > I have chkrootkit but did not know about rootkit hunter. Thank you again.
    > I also have AIDE and Snort setup on this machine.
    >
    >
    >


  • Next message: paavan shah: "linux password cracking tools"

    Relevant Pages

    • SUMMARY and apology Re: Some bash/tty questions
      ... Some people tend to create complex login scripts ... If you don't allow direct login to root, but rather su to root, then so ... Hi, not to bash down on bash, but perhaps you should try zsh, it has the shared history thing built in. ...
      (SunManagers)
    • =?ISO-8859-1?Q?Re=3A_AS_geb=FAr=3B_bauer=3B_neighbour?=
      ... the root is restricted to Gmc. ... n., etc., find a common meaning "room, single building", and tell ... many other feminine plurals of neuters.) ... Because disturbing details have to be explained. ...
      (sci.lang)
    • =?ISO-8859-1?Q?Re=3A_AS_geb=FAr=3B_bauer=3B_neighbour?=
      ... the root is restricted to Gmc. ... n., etc., find a common meaning "room, single building", and tell ... many other feminine plurals of neuters.) ... Because disturbing details have to be explained. ...
      (sci.lang)
    • Re: AS =?UTF-8?B?Z2Viw7pyOyBiYXVlcjsgbmVpZ2hib3Vy?=
      ... seljak have in common? ... village', which is cognate with OIc 'room, hall'. ... but does reduce the possiblity of the existence of any previous root having been common to all three on independent tracks. ... can I presume a meaning of 'high town' in Old Swedish? ...
      (sci.lang)
    • RE: suEXEC
      ... Change your web scripts to create a file of usernames to create, for example, /var/tmp/users. ... The file should be owned by root, group apache, with permissions 660. ... first virtual hosting is showing username cgiuser but second virtual ...
      (RedHat)