I discovered that my server had been compromised by my old friends from DataCha0s, et al., today. Not entirely rooted, fortunately, but uncomfortably close. This goes to show that you have to be really careful about which services you make available to the public. The exploit was a vulnerability in awstats version 6.2, which allows an attacker to execute arbitrary code as the Apache user. This is an extremely severe security issue and I'm a bit disappointed that none of the security advisory lists I subscribe to issued a warning about this particular problem.
It seems that the angry young men in question uploaded and compiled an IRC relay station so they could chat, etc., anonymously through my server. This unauthorized network traffic was actually what made me aware that something was going on, so now I'm quite happy about my strange habit of running netstat, once in a while. I've also found several other backdoor scripts that allowed execution of arbitrary commands on the system - again, as the Apache user. The Apache user has fairly limited capabilities, but once a cracker is in, the chance that he will be able to root the system and gain access to everything is a very real one. It seems that I got the situation under control just in time.
So what am I doing to protect my system? Well, right now I'm simply banning the entire block of IP-numbers assigned to Brazil from my server, since this has consistently been the source of cracking attempts (sorry, Brazil), and awstats has been taken offline altogether. These measures are only temporary, until I have had a chance to clean up the messes and purge the system of any lingering trojans. Needless to say, I will also be spending some time sending out e-mails to all the ISPs from which attacks have been launched against my server and connections have been made to any of the installed back-doors. Perhaps I should get in touch with Eiffel, who could undoubtedly lend me some sound advice on how to further secure the system and, perhaps more importantly, how to track the perpetrators.
In any case, the server survived and my internal network was, to the best of my knowledge, left untouched, so there is at least that to be thankful for. All is well, considering.
The real solution is of course to run applications without possible exploits, but there will always be one more buffer over run or something else.
So to minimize the options available to attackers you could run all your possible unstable applications in a jail. This will ensure that if somebody compromises your server they will not be able to break out of the jail, and they will not be able to run any other application than the ones installed in the jail.
Second you could take a look at security levels. They can provide a good level of security, but are also a pain when ever you want to make changes to the system. You can't lower a securlevel. Instead you have to reboot the system and make any change in single user mode.
Finally you could have your servers installed on a read only file system, and let the file systems that needs to be mounted read/write be mounted with the no execute bit. This will prevent a attacker from starting new applications.
· Re: One word - Jail by eiffel
· Re: One word - Jail by GreyStork
Content © 2010 Torben K. Jensen. All rights reserved.
This website was made possible by Poseidon.