1 |
On Mon, 2004-02-02 at 20:06, Matthias F. Brandstetter wrote: |
2 |
> Hi all security gurus, |
3 |
> |
4 |
> recently I had a sec. issue with an Apache install. This box is hosting |
5 |
> several virtual domains, one was hacked last night :( |
6 |
[snip] |
7 |
|
8 |
> |
9 |
> Until I can update the webserver, I need to know 3 things: |
10 |
You really should not wait on getting this thing updated. |
11 |
And in reality you should also halted this box now and a dd backup |
12 |
should be made for later examination. |
13 |
If you need to look around poke around at all it should all be done |
14 |
while the disk is mounted read-only. |
15 |
|
16 |
> 1.) how could this guy(s) could get access to this machine, |
17 |
(this guy could be a worm) |
18 |
|
19 |
> 2.) how can one get shell access after exploitng Apache, and |
20 |
It depends on the attack vector that was used. |
21 |
Without knowing versions of anything here it's hard to answer this |
22 |
question. See #3 |
23 |
|
24 |
> 3.) how to prevent similar attacks in the future? |
25 |
For a second lets assume it was the this |
26 |
arbitrary code execution via the stack or heap. If that the case then |
27 |
your going to want something like PaX && || Grsec. |
28 |
depending on your needs. http://pax.grsecurity.net & |
29 |
http://grsecurity.net |
30 |
Note: PaX is included with grsecurity |
31 |
|
32 |
> |
33 |
> ANY hints, tips, links and suggestions are welcome! |
34 |
> Greetings and TIA, Matthias |
35 |
-- |
36 |
Ned Ludd <solar@g.o> |
37 |
Gentoo Linux Developer |