Re: sendmail compromised - Somebody help me!

From: Rick Moen (rick_at_linuxmafia.com)
Date: 05/01/05 

Date: Sun, 01 May 2005 03:55:46 -0400

Ohmster <notareal@emailaddress.com> wrote:

> Yes, I just found out that I had backdoors on the system. phpbb 2.0.6 no
> doubt was the culprit.

You also mentioned running awstats as a CGI, which I myself was doing
until February 2005, when my recklessness caught up with me -- and I'm a
pro at this stuff, Ohmster. AIDE and Tripwire told me the box had been
rooted; I got confirmation by noticing that my Web site's front page had
been "defaced" (replaced with some illiterate brag *** from the kiddie
who'd run an automated exploit via the CGI's input stream).

I pulled the plug, rebooted from an LNX-BBC disk, updated my backups of
the data files and installed-packages list, made a copy of my /etc tree
for reference (but not re-use), blew away (reformatted) the entire
system, reinstalled from trusted, known-good media, copied back the data
files, disabled users' dotfiles (as they were suspect), disabled
password authentication for remote users entirely (switching over to
allowing SSH public key auth only), worked for many hours recreating
desired system configuration -- not trusting the prior configuration
files or executables in so doing -- studied system security to try to
make sure I hadn't recreated any of the same hazards as before, _only then_
put the machine back on the network, and contacted my users via other
means ("out of band") to let them know what happened. Total elapsed
time: 22 hours.

I also discovered, to my shock, that the default PHP configuration was
grossly security-reckless, and started the job of tightening down
php.ini. See system bulletin: http://linuxmafia.com/news.html .

Your CGIs are a potential problem: Running awstats as a CGI is the path
of least resistence, but you really should run it instead, if at all, as
a cronjob generating a static HTML page _not_ subject to the same sorts
of input attacks. Your PHP configuration, if typical, is a veritable
Typhoid Mary of risk -- as, judging by its sorry security history, is
phpbb. And of course an unmaintained, end-of-lifed distribution such as
RH9 in 2005 is a ghastly, unbelievable risk.

Welcome to the ranks of the slightly scarred but wiser. ;-> You may
find a few of my security articles of interest. They're linked from my
home page, http://linuxmafia.com/~rick/

(And I'm sorry to hear about the pain being visited on you -- though I
insist I have an alibi. ;-> )

Good fortune and good hunting! 

-- 
May those that love us love us; and those that don't love us, may
God turn their hearts; and if he doesn't turn their hearts, may
he turn their ankles so we'll know them by their limping.