[Bradford] chkrootkit and nasties found
Alice Kærast
kaerast at computergentle.com
Thu Oct 6 06:42:02 UTC 2011
It's more likely to be PHP or cgi scripts than Apache itself that has
vulnerabilities. Best practise is to limit what the user running Apache can
do to try and limit your risks. However if you're running a control panel
then it's going to need access to a lot of things; if you can create new
users from your web control panel then so can anybody who finds a
vulnerability in any php/cgi scripts.
There's things like mod_security for Apache which can help, but it needs
lots of tuning and rule writing. Maybe you can also limit access to the
control panel by ip address and ssh/vpn in if you need remote access.
And it goes without saying that everything should be kept up to date. I've
seen a number of instances recently where vulnerabilities in WordPress
plugins or other PHP software has led to either malware being hosted or PHP
shells being run.
Alice
Sent from my Windows Mobile® phone.
------------------------------
From: Dick Thomas <xpd259 at gmail.com>
Sent: 05 October 2011 23:09
To: Alice Kærast <kaerast at computergentle.com>
Cc: Bradlug Mailing list <bradford at mailman.lug.org.uk>
Subject: Re: [Bradford] chkrootkit and nasties found
I was just reading up on tripwire as I got your email looks good will
google hardening system
I've already installed denyhosts and various other things (not that ssh is
public yet)
my main concern is Apache2 as I don't have much experience with securing
that it's normally already been done by my webhost
but I'm hosting a owncloud instance on my server linked to my NAS so I can
access pretty much everything everywhere
Dick
On 5 October 2011 23:02, Alice Kærast <kaerast at computergentle.com> wrote:
>
> Dotfiles like those are to be found all over a modern Linux distro. The key
> is comparing the results to a known clean install. That's not to say they're
> all ok just because they're known about, you then have to check what's
> inside them is legit.
>
> A better option is running something like Tripwire which will detect
> changes to key files based on hash sums and modified times. But you need to
> know your system is clean to begin with.
>
> Run your rootkit finder from a live CD, sort out any results (most will be
> false positives), go through the hardening procedures for your distro
> (Debian has a nice package which will help you - can't remember the name),
> then get tripwire running.
>
> Alice
>
>
> Sent from my Windows Mobile® phone.
>
> ------------------------------
> From: Dick Thomas <xpd259 at gmail.com>
> Sent: 05 October 2011 21:44
> To: Bradlug Mailing list <bradford at mailman.lug.org.uk>
> Subject: [Bradford] chkrootkit and nasties found
>
> hiya people
>
> I've just installed debian (and stop it my David S about using a real OS
> like slackware)
> and ran chkrootkit and got this output
>
> Searching for suspicious files and dirs, it may take a while... The
> following suspicious files and directories were found:
> /usr/lib/xulrunner-1.9.1/.autoreg /usr/lib/pymodules/python2.6/.path
> /usr/lib/iceape/.autoreg /usr/lib/iceweasel/.autoreg
> /usr/lib/jvm/java-1.5.0-gcj-4.4/.java-gcj-4.4.jinfo
> /usr/lib/jvm/.java-6-sun.jinfo /usr/lib/jvm/java-6-sun-1.6.0.26/.systemPrefs
> /usr/lib/jvm/.java-6-openjdk.jinfo /lib/init/rw/.ramfs
>
> any one got any ideas?
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Dick Thomas xpd259 at gmail.com
> www.xpd259.co.uk
> www.google.com/profiles/xpd259
>
>
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dick Thomas xpd259 at gmail.com
www.xpd259.co.uk
www.google.com/profiles/xpd259
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/bradford/attachments/20111006/5009be16/attachment.htm>
More information about the Bradford
mailing list