[sf-lug] Hacked RHEL4/PHP4 server

[Jason Turner]

Well, late to the party, but a couple of things...

I realize it is unclear and perhaps unknowable *how* this penetration 
occurred.  I have no answers for you when it comes to carefully tracing 
and fingerprinting through a compromised system.  I'd love to stand over 
your shoulder should you ever attempt to sit down over a copy of the 
compromised system.

When it comes to the PHP-as-hack-vector, I'd be curious to hear about 
the php.ini settings on that machine.  RickM already pointed to his 
security page, and the PHP link does indeed list some of the more common 
settings changes.  http://linuxmafia.com/faq/Security/php.html

After dealing with shared hosts, I've come to appreciate running 
interpreters as [fast]CGI processes, with reduced user privileges.  I 
may have missed whether you said apache was running as root on this 
setup?  In any case, whether they decide to do "the right thing -- and 
completely rebuild this VPS from clean sources" or not, perhaps you can 
make a few helpful suggestions to them around possible config changes.

Thanks for sharing.  I believe it was also RickM that shared a link that 
has info on IDS tools in it(ah -- the story about the Debian hacks!).  
That's my next experimental playground...


--
jt



Tom Haddon wrote:
> Hi Folks,
>
> I'm hoping I can marshall the resources of the LUG to help me get a
> hacked server back under control. Here's the situation...
>
> I used to work for a non-profit back in the early 2000's that did health
> resource information, and while working for them I wrote my first ever
> web application using PHP/PostgreSQL. It was a cancer resource guide,
> showing what resources were available to patients and families in a
> local area.
>
> [...interesting hack story...]
>