[LinuxUsers] Could use some help please,

Brian Friday brian.friday at gmail.com
Wed Aug 20 14:01:30 UTC 2008 

Actually while I would check the logs in the course of the  
investigation the fact of the matter is that editing log files is  
pretty trivial for package exploits.

Couple thoughts on my side:
	- on the packages themselves do ls -asl (and/or other variations)  
that may give you some data
	- since your using a old release but there is probably a good reason  
for it be sure to check:
		- vulnerabilties for all software running on 127.0.0.1 as well as  
the normal network side
		- that the software running even if it is listening on the localhost  
should be running/is needed
		- be sure additional modules for apache that are not needed are not  
running ie:
			- proxy, dav etc
		- check the rev on php as well as if php allows remote file upload  
capabilities

Preventative measures
	- always make use of sshd_config's ability to set a allow user line  
and never allow remote root
	- lock down the box daemons with tcpwrappers, iptables etc if its a  
web server you shouldn't see
	ftp traffic from/to it, or irc etc.
	- grab something that can independantly verify the binaries on your box

- Brian

On Aug 20, 2008, at 6:44 AM, Chris Thomas wrote:

> I agree with Chris about checking the log files. When you first  
> found the program, you didn't know when it got installed on your  
> box. Was it installed a week, month, year ago? So, searching the  
> logs would probably be useless for that attack. Since you deleted  
> the app and it came back, you have an appox. time, so you only have  
> a little bit of logs to look through.
>
> Chris
>
>
> ----- Original Message ----
> From: Chris Penn <cantormath at gmail.com>
> To: roger.rustad at gmail.com; SoCal LUG Users List <linuxusers at socallinux.org 
> >
> Sent: Wednesday, August 20, 2008 3:41:55 AM
> Subject: Re: [LinuxUsers] Could use some help please,
>
> <snip>
>
> You definitely want to check security settings and logs. chkrootkit
> and lynis are pretty neat.  What version of Tomcat?
>
> Chris...
>
> On Wed, Aug 20, 2008 at 1:25 AM, Roger E. Rustad, Jr
> <roger.rustad at gmail.com> wrote:
>> Ann Richmond wrote:
>>> Hi, its Ann Richmond.
>>> A few weeks ago we found some applications had been installed under
>>> tomcat on a few servers.  The war file was there as well as the  
>>> expanded
>>> apps.
>>
>> I'll bet you've got pwned.
>>
>> Perhaps someone else has answered this, but I would recommend  
>> googling
>> some of the security websites and seeing if there is anything  
>> (default
>> security settings, easy passwords, etc) that kiddie scripters are  
>> taking
>> advantage of.
>>
>> Also, have you checked out chkrootkit?
>>
>> http://www.chkrootkit.org/
>>
>> What user is Tomcat running under?  Maybe someone got root access  
>> quite
>> easily that way...
>> _______________________________________________
>> LinuxUsers mailing list
>> LinuxUsers at socallinux.org
>> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
>>
>
>
>
> -- 
> "As we open our newspapers or watch our television screens, we seem to
> be continually assaulted by the fruits of Mankind's stupidity."
> -Roger Penrose
> _______________________________________________
> LinuxUsers mailing list
> LinuxUsers at socallinux.org
> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers
>
> _______________________________________________
> LinuxUsers mailing list
> LinuxUsers at socallinux.org
> http://socallinux.org/cgi-bin/mailman/listinfo/linuxusers

More information about the LinuxUsers mailing list