[conspire] Machine rebuild happened on Feb. 1

Rick Moen rick at linuxmafia.com
Tue Feb 8 15:53:42 PST 2005

In case you were wondering what had gone on with linuxmafia.com:
Midmorning on Monday, Jan. 31, the machine was site-compromised from
somewhere in Brazil using a remotely exploitable vulnerability in the
AWstats package.  (At the time, Debian-unstable's package of that
Web-stats package turns out to have had a serious unfixed bug whereby
the "pluginmode" parameter can be exploited in a call to the Perl
routine eval(), allowing attackers to execute arbitrary commands.
For the near future at least, we'll be regarding that thing as too buggy
to run here.)

Our logging and IDSes did their job, so I rebuilt the machine from
trusted sources and current backups, going through prior config and
dotfiles to vet them and recreate machine state.  Rebuild was complete
in 22 hours.  (No data was lost or corrupted, including mail.)

There were two things that took longer:  mailing lists and certain PHP

The local mail system (based on the Exim4 MTA) had been a bit of a mess,
so I decided to do a meticulous job this time, so that I would have
everything running as desired _and_ have it be maintainable _and_
understand how everything works.  We started with the Debian
exim4-daemon-heavy package, added a locally-compiled copy of the
Leafnode 2.0 prerelease NNTP news server (because the 1.x releases don't
yet support local newsgroups), added full SPF support, fetched J.C.
Boggis's extremely nice canned Exim4 configuration package
"EximConfig"[1], and added Marc Merlin's sa-exim package for additional
SMTP-time spam-rejection.

There were predictable gotchas:  Doing SMTP-time rejection of spam is
something of a cutting-edge effort.  It turned out, disappointingly,
that the SPF daemon, designed to determine if the envelope-sender IP
address is an authorised mail exchanger (MX) for the alleged sending
domain, suffers a severe case of the stupids:  The thing doesn't check
the envelope "From" header (as it should), but rather the interior 
"From:" header.  

Most of you probably won't quite realise what a bonehead move _that_ is,
but it's a doozy.  I disabled SPF-checking in my Exim4 configuration in
a hurry.  We'll look in on that in a year or two, after they've acquired

With other things grabbing my time, I hadn't been able to fix Exim4's
Mailman support until today:  The Debian Exim4 package doesn't provide
it, and, given that EximConfig alters the package's operation in
fundamental ways, I had to experiment a bit before learning the ropes,
fully.  It seems to be all better, now, and I'm also in a better
position to handle more-complex MTA feature additions in the future.

The PHP matter is still not entirely fixed:  I'd been lax and lazy, and
had previously left enabled a truly atrociously dangerous PHP4 setting
called "register_globals".  That and several other monumentally stupid
default settings in php.ini are now turned off.  To my knowledge, the
only broken page you'll see as a result is the sub-pages of
http://linuxmafia.com/~rick/faq/ , which I'll have to redesign to no
longer rely on a global automagic "page" variable.  (I just haven't yet
had time.)

[1] http://www.jcdigita.com/eximconfig/

More information about the conspire mailing list