On Mon, 2008-01-28 at 11:59 -0500, Jeff Plewes wrote:
> Update,
>
> The problem box:
> - centos 5 base, updated via yum from default repository.
> - httpd 2.2.3-11.el5_1.centos.3 (2.2.8 backport?)
> - php 5.2.5 compiled from source
> - courier-authlib 0.60.2 compiled from source
> - courier-imap-4.3.0 compiled from source
> - exim 4.69 compiled from source
> - proftpd 1.3.1 compiled from source
>
> I have no control panel of any sort installed.
Do you exert *any* control over your customers' content?
> The box was running RH9.. had the issue.. formatted and replaced with
> fresh install of centos 5... copied over customer vhosts..
I guess not :)
> Gets hit again within days.
Highly likely. The commonality between the systems is your customers,
who I would either finger directly as the culprits or their sites.
Anyone running an outdated "Nuke" of any type, for example? Menalto
Gallery? Real old Actinic shopping carts, anything like that?
> I have many other hosts in the datacenter with various configurations
> but all would have had the same apache, php, ssh, ssl versions as this
> box before at RH9. None of them have been hit.. none of them however,
> contain exim, courier, or proftpd
I would personally be *extremely* surprised to find any of these three
being the entry point, especially given the versions you mention.
My finger points at PHP, indirectly, through a hole in an application
giving a remote attacker local user privs. Once they're in your system,
all bets are off - even if they're not root yet, they could be sometime
soon.
> Update,
>
> The problem box:
> - centos 5 base, updated via yum from default repository.
> - httpd 2.2.3-11.el5_1.centos.3 (2.2.8 backport?)
> - php 5.2.5 compiled from source
> - courier-authlib 0.60.2 compiled from source
> - courier-imap-4.3.0 compiled from source
> - exim 4.69 compiled from source
> - proftpd 1.3.1 compiled from source
>
> I have no control panel of any sort installed.
Do you exert *any* control over your customers' content?
> The box was running RH9.. had the issue.. formatted and replaced with
> fresh install of centos 5... copied over customer vhosts..
I guess not :)
> Gets hit again within days.
Highly likely. The commonality between the systems is your customers,
who I would either finger directly as the culprits or their sites.
Anyone running an outdated "Nuke" of any type, for example? Menalto
Gallery? Real old Actinic shopping carts, anything like that?
> I have many other hosts in the datacenter with various configurations
> but all would have had the same apache, php, ssh, ssl versions as this
> box before at RH9. None of them have been hit.. none of them however,
> contain exim, courier, or proftpd
I would personally be *extremely* surprised to find any of these three
being the entry point, especially given the versions you mention.
My finger points at PHP, indirectly, through a hole in an application
giving a remote attacker local user privs. Once they're in your system,
all bets are off - even if they're not root yet, they could be sometime
soon.
Graeme
[ reply ]