Re: LKM Trojan: How could it have been installed?

From: David (thunderbolt01_at_netscape.net)
Date: 05/21/03


Date: Wed, 21 May 2003 00:13:55 GMT

Jeffrey Silverman wrote:
> On Tue, 20 May 2003 12:15:08 -0500, Chris Cox wrote:
>
>
>>Jeffrey Silverman wrote:
>>...
>>
>>>(This is a webserver (duh, if you know port typical port configuration)
>>>and I leave ssh (22) open for remote administration.)
>>
>>Make sure you run the latest ssh version and I'd disable remote
>>root into ssh.
>
>
> Currently SSH2 protocol. OpenSSH V3.1p1
>
> (Turns out that that is a vulnerable version. crap!)
>
> <snip!>
>
>>>How can I make ports 80 and 443 more secure?
>>>Is it likely or possible that the intruder came in through ports 80 0r
>>>443?
>>
>>Yes. Also possible via port 22 depending on version of ssh and type
>>of authentication allowed. Use keys with passphrases, restricted
>>Allows, disable root and only run protocol 2... upgrade to latest
>>ssh.
>>
>>What version of apache (I assume)? Need the latest there as well.
>>Possible to gain access through a misconfigured/backleveled cgi or
>>server side lang (e.g. php). More detail needed to assess the avenue
>>of easiest access.
>>
>>Elimination of real-time dynamic content goes a long way to making
>>things more secure (since that's where many problems occur even on
>>"updated" rev levels of apache/etc.).
>>
>
> Versions:
> Apache 1.3.20
> PHP 4.2.3
> OpenSSL/mod_ssl 0.9.6b (I think)
> MySQL 3.23.?

Apache is up to 1.3.27 now or 2.0.45 depending which version you
choose.
PHP is up to 4.3.2-rc2
Openssl is up to 9.7b
Openssh is up to 3.6.1p1
MySQL is up to 3.23.56 or 4.0.13 depending which version you choose.

-- 
Confucius:  He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
Slackware 9.0 Kernel 2.4.20 i686 (GCC) 3.3
Uptime: 1 day, 15:47, 1 user, load average: 1.01, 1.25, 1.33