Re: LKM Trojan: How could it have been installed?

From: David (thunderbolt01_at_netscape.net)
Date: 05/21/03


Date: Wed, 21 May 2003 00:13:55 GMT

Jeffrey Silverman wrote:
> On Tue, 20 May 2003 12:15:08 -0500, Chris Cox wrote:
>
>
>>Jeffrey Silverman wrote:
>>...
>>
>>>(This is a webserver (duh, if you know port typical port configuration)
>>>and I leave ssh (22) open for remote administration.)
>>
>>Make sure you run the latest ssh version and I'd disable remote
>>root into ssh.
>
>
> Currently SSH2 protocol. OpenSSH V3.1p1
>
> (Turns out that that is a vulnerable version. crap!)
>
> <snip!>
>
>>>How can I make ports 80 and 443 more secure?
>>>Is it likely or possible that the intruder came in through ports 80 0r
>>>443?
>>
>>Yes. Also possible via port 22 depending on version of ssh and type
>>of authentication allowed. Use keys with passphrases, restricted
>>Allows, disable root and only run protocol 2... upgrade to latest
>>ssh.
>>
>>What version of apache (I assume)? Need the latest there as well.
>>Possible to gain access through a misconfigured/backleveled cgi or
>>server side lang (e.g. php). More detail needed to assess the avenue
>>of easiest access.
>>
>>Elimination of real-time dynamic content goes a long way to making
>>things more secure (since that's where many problems occur even on
>>"updated" rev levels of apache/etc.).
>>
>
> Versions:
> Apache 1.3.20
> PHP 4.2.3
> OpenSSL/mod_ssl 0.9.6b (I think)
> MySQL 3.23.?

Apache is up to 1.3.27 now or 2.0.45 depending which version you
choose.
PHP is up to 4.3.2-rc2
Openssl is up to 9.7b
Openssh is up to 3.6.1p1
MySQL is up to 3.23.56 or 4.0.13 depending which version you choose.

-- 
Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
Slackware 9.0 Kernel 2.4.20 i686 (GCC) 3.3
Uptime: 1 day, 15:47, 1 user, load average: 1.01, 1.25, 1.33


Relevant Pages

  • RE: Linux hacked
    ... Was any of the sites running a php nuke or another portal or system that is vuln ... been able to use that with a locla root exploit to gain root on the machine. ... > hack the box, pull the drive and save it. ... > Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ...
    (Security-Basics)
  • Re: LKM Trojan: How could it have been installed?
    ... Make sure you run the latest ssh version and I'd disable remote ... Also possible via port 22 depending on version of ssh and type ... disable root and only run protocol 2... ...
    (comp.os.linux.security)
  • RE: Linux hacked
    ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • Re: Linux hacked
    ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
    (Security-Basics)
  • RE: Linux hacked
    ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ...
    (Security-Basics)