[conspire] Machine rebuild happened on Feb. 1

Daniel Gimpelevich daniel at gimpelevich.san-francisco.ca.us
Wed Feb 9 12:33:09 PST 2005

Another side effect that I immediately noticed as soon as linuxmafia.com
came back up was that the SSH identity of the machine changed. Until I
read the below, I thought this might be a temporary thing, but now I guess
I should update my known_hosts file, right? A little while later, I tried
temporarily moving the known_hosts file so that I could try to log in and
found that my password had been reset, and I don't know the new one.

On Tue, 08 Feb 2005 15:53:42 -0800, Rick Moen wrote:

> In case you were wondering what had gone on with linuxmafia.com:
> Midmorning on Monday, Jan. 31, the machine was site-compromised from
> somewhere in Brazil using a remotely exploitable vulnerability in the
> AWstats package.  (At the time, Debian-unstable's package of that
> Web-stats package turns out to have had a serious unfixed bug whereby
> the "pluginmode" parameter can be exploited in a call to the Perl
> routine eval(), allowing attackers to execute arbitrary commands.
> For the near future at least, we'll be regarding that thing as too buggy
> to run here.)
> Our logging and IDSes did their job, so I rebuilt the machine from
> trusted sources and current backups, going through prior config and
> dotfiles to vet them and recreate machine state.  Rebuild was complete
> in 22 hours.  (No data was lost or corrupted, including mail.)
> There were two things that took longer:  mailing lists and certain PHP
> features.
> The local mail system (based on the Exim4 MTA) had been a bit of a mess,
> so I decided to do a meticulous job this time, so that I would have
> everything running as desired _and_ have it be maintainable _and_
> understand how everything works.  We started with the Debian
> exim4-daemon-heavy package, added a locally-compiled copy of the
> Leafnode 2.0 prerelease NNTP news server (because the 1.x releases don't
> yet support local newsgroups), added full SPF support, fetched J.C.
> Boggis's extremely nice canned Exim4 configuration package
> "EximConfig"[1], and added Marc Merlin's sa-exim package for additional
> SMTP-time spam-rejection.
> There were predictable gotchas:  Doing SMTP-time rejection of spam is
> something of a cutting-edge effort.  It turned out, disappointingly,
> that the SPF daemon, designed to determine if the envelope-sender IP
> address is an authorised mail exchanger (MX) for the alleged sending
> domain, suffers a severe case of the stupids:  The thing doesn't check
> the envelope "From" header (as it should), but rather the interior 
> "From:" header.  
> Most of you probably won't quite realise what a bonehead move _that_ is,
> but it's a doozy.  I disabled SPF-checking in my Exim4 configuration in
> a hurry.  We'll look in on that in a year or two, after they've acquired
> clue.
> With other things grabbing my time, I hadn't been able to fix Exim4's
> Mailman support until today:  The Debian Exim4 package doesn't provide
> it, and, given that EximConfig alters the package's operation in
> fundamental ways, I had to experiment a bit before learning the ropes,
> fully.  It seems to be all better, now, and I'm also in a better
> position to handle more-complex MTA feature additions in the future.
> The PHP matter is still not entirely fixed:  I'd been lax and lazy, and
> had previously left enabled a truly atrociously dangerous PHP4 setting
> called "register_globals".  That and several other monumentally stupid
> default settings in php.ini are now turned off.  To my knowledge, the
> only broken page you'll see as a result is the sub-pages of
> http://linuxmafia.com/~rick/faq/ , which I'll have to redesign to no
> longer rely on a global automagic "page" variable.  (I just haven't yet
> had time.)
> [1] http://www.jcdigita.com/eximconfig/

More information about the conspire mailing list