# Gentoo 1.4 Webserver got rooted tonight.

## chmod

I am running a Gentoo 1.4 box on a dual Xeon 2.4Ghz Intel board. I installed 1.4RC2 on it and have kept it updated by emerging "-u world" every few days.

Tonight I went to a site of mine, to find the index page had been moved with a new one in it's place. Also the intruder kindly removed the /var/log directory, and my last year or so of logs.

Where do I start even looking to find out who did this? Is there a likely hole in gentoo because of this? I'm no security buff, but I have kept openssh updated, and have no other users of this machine.

Can someone help me start hunting for what caused this? I'm not as much interested in catching the cracker as I am in preventing this from happening again.

----------

## SouthOfHeaven

sorry, out of curiosity why would you "emerge -u world" every few days ??

----------

## iwasbiggs

Horrible, too bad you coudlnt' read the logs.

----------

## chmod

 *SouthOfHeaven wrote:*   

> sorry, out of curiosity why would you "emerge -u world" every few days ??

 

To keep all my system up to date. Is there a more accepted way of doing this?

----------

## antik

 *chmod wrote:*   

> 
> 
> Tonight I went to a site of mine, to find the index page had been moved with a new one in it's place. Also the intruder kindly removed the /var/log directory, and my last year or so of logs.
> 
> 

 

And your backup is stolen also?  :Evil or Very Mad: 

My advice:

1. throw out ftp

2. use only scp

3. write some decent firewall script

4. RTFM  :Twisted Evil: 

5. make backup every day or if you paranoid enough - every hour

....

EDIT: translation for some stupid ppl: RTFM- Read The Fine Manual.

----------

## iwasbiggs

 *chmod wrote:*   

>  *SouthOfHeaven wrote:*   sorry, out of curiosity why would you "emerge -u world" every few days ?? 
> 
> To keep all my system up to date. Is there a more accepted way of doing this?

 

I usually just check the change logs to see what i need to update and is worth it.

----------

## chmod

 *antik wrote:*   

> 
> 
> And your backup is stolen also? 

 

No, the sites are backed up, that is not a problem. You backup your logs regularly?

And read what fucking manual? The gentoo one? Thanks for no help.

----------

## Tuna

cat .bash_history ? ok if hes smart enough to delete the logs he proppably deleted that one also.. just to remember.. better not using that maschine in that state any longer on the net.. you never know what he changed/installed to get easy access anytime again.

----------

## chmod

 *Tuna wrote:*   

> cat .bash_history ? 

 

Yea he deleted .bash_history as well, and yes, the box is off the net until I can reinstall it.

Does anyone have any clue how this happened? It is possible it is a gentoo hole, does anyone care to investigate this more?

----------

## Koon

Odd.

What services are visible (exposed through your firewall) ?

Is everything installed from emerge packages or did you install binaries manually ?

-K

----------

## uxbod

Were you using Apache? If so what version?

----------

## gigel

you can call/contact your isp to tell who was logged/accesing into/your machine the day it was *rooted*

backup logs is not the issue here...unless you put them on a read-only media 

putting a cron job to cp /var/log/* into a different place can fool a stupid cracker but i think it's not a good security option either...

on a server the most important things are the kernel and firewall configuration and the services that are allowed..

it's not a gentoo fault cause youve been cracked...

now post what services were u running in that day??

and also the version numbers..

to investigate more,you might annalize what has he modified into the kernel(cause i might think he has modified it) comparing it with a new one taken from kernel.org ...that way you might find something usefull...

try looking what processes are running right now,try looking what open ports have you now...try scanning your machine (nessus and nmap)

 :Crying or Very sad:   :Crying or Very sad:  ...i just feel sad..that all...

//edit

AFAIK when you delete a file you are actually deleting the inode,so the basic file is still there as long as it's not overwritten by some other files(usualy this happens when you move files,or full the harddisk)

so i know there must be a program that restores inodes...try looking for one..and maybe(with luck) you can restore your logs and see who was messing with your machine.....

----------

## elykyllek

could you run chkrootkit and see if you were rooted by a known rootkit?

----------

## chmod

 *elykyllek wrote:*   

> could you run chkrootkit and see if you were rooted by a known rootkit?

 

Thanks for the link. I ran that program and it found nothing unusual. No kits found.

Also thank you to mortix, I was able to use debugfs to recover the .bash_history file. Unfortunately, the /var/log dir was unrecoverable due to daemons writing all over it.

A quick portscan revealed something listening on port 44999. I ran 'lsof -i | grep 44999' and it was a program called "logs". I was unable to figure out what it was doing. I did manage to kill its pid. 

Running services were:

Apache 1.3.27 with static PHP 4.3.1 (from source)

Pure-FTPD 1.0.14 (portage)

eXtremail 1.5.7 POP, IMAP, SMTP (from source) 

MySQL 4.0.12 (from source)

SSHD 3.6.1_p2 (portage)

Thanks for the help so far guys!

----------

## Roc

What kernel are you using? Is it possibile that someome used the ptrace bug to break into your system? This maybe can also be done by uploading a PHP script containing shell commands.

----------

## ARC2300

And I'm sure you know, but your root password is secure, long, and very hard to crack??

I'm always afraid of someone doing this crap to me, but, then again, if they can get my password(s) and figure it out, good for them.   :Razz: 

Sorry to hear about your luck.  

And just out of curiousity (I don't really know if it's possible), did you chroot your FTP daemon??  I've heard of people breaking into systems via FTP because it's so easily crashable.

----------

## antik

 *chmod wrote:*   

>  *antik wrote:*   
> 
> And your backup is stolen also?  
> 
> No, the sites are backed up, that is not a problem. You backup your logs regularly?
> ...

 

Yes I backup logs automagically. About security.

Thank you for your patience...

----------

## Koon

 *chmod wrote:*   

> eXtremail 1.5.7 POP, IMAP, SMTP (from source)

 

Any chance you were open to this root-compromise script ?

http://206.63.100.249:8123/files/formatstrings/eXtremail-fs.pl.txt

Otherwise, like Roc, I just see the ptrace kernel vuln or a problem in your Apache/PHP setup or a PHP script with a hole in it...

Good luck in your search anyway...

-K

----------

## rajl

I followed that link and looked at the script, but I couldn't tell what it was exploiting (besides what seemed to be a mailserver).  What service/package does it target, and how would I make sure that my own system is secure against it?

----------

## paul138

All you can really do now is format the thing. It's not a good idea to use a comprimised box even if you think it's clean. It's a learning experience.

If they didnt install a rootkit then they must have just came in to install a DDoS client of some sort (hence the port 44999 listening). The idea being that they can use your box in a distributed denial of service attack.

Some things to do next time around:

Run only stable. Don't use the ACCEPT="~x86" (if you were). Sometimes the experimental code is full of holes.

Run only the necessary software. Gentoo is good about not setting a lot of default services on startup like the other distros. Only install/start the minimum number of programs.

Daemons like ftp are notorious for being full of holes. Before you use an ftp daemon on the machine, read all of the docs especially the ones pertaining to security.

Do not install X windows on a server. This has proved fatal many times (especially where web servers are concerned, it is possible to start an xterm on a remote system with the right peice of buggy code and netcat).

If possible, remove gcc alltogether. Keep a mirror of the system at your office and build the updates as packages at the office then scp them (or take them on a CDR) to the remote machine. Use emerge -k [package] to install it, no gcc needed.

Eliminate all non-vital users from passwd and group files.

Lock down ssh as to only use RSA keys for root (if you must use remote root accounts), or deny root login all together. There are MANY ssh options to set up.

Install Tripwire or one of the variants (www.tripwire.org - why is there no ebuild for this yet?)

Use a nice firewalling system. I recommend Shorewall, it's worked for me for over 2 years now. It is possible to firewall a system with only 1 NIC.

Double-up on IP access restrictions to services using tcp_wrappers along with iptables.

There are so many other things, just keep it simple and locked down.

It's sad to see a box get comprimised. But 2nd time's always a charm  :Wink: 

GOOD LUCK!

-P

----------

## paul138

 *rajl wrote:*   

> I followed that link and looked at the script, but I couldn't tell what it was exploiting (besides what seemed to be a mailserver).  What service/package does it target, and how would I make sure that my own system is secure against it?

 

That was a root exploit for eXtremail but it's not clear on what version it can be used against.

[edit]

A quick search reveals http://www.securityfocus.com/bid/2908

You did not appear vulnerable. 

 :Cool: 

----------

## SouthOfHeaven

i agree with paul138, they probably just borke in to install a DDoS client, to me it doesnt make much sense, what exactly do you have on the server worth stealing ?? credit card numbers ? email adresses ? and if the hacker/cracker/***scriptkiddie*** was after something then why delete the logs ??

Anyway i dont have much experience with this im just throwing in my 2 cents. I would suggest something like tripwire and snort.

----------

## Roc

Are you also sure that noone has physical access to the machine? Can you trust your ISP where it is located?

I don't know if it's a good idea, but maybe an experienced user will be able to find out the vulnerability if you reconnect the machine for a limited period of time, post its IP and keep a strong eye on it. It's a risk, but I would like to know what has happened to keep it out next time.

----------

## paul138

That wouldnt make much of a difference. When the daemon is installed for distributed exploits, the person who installed it usually distributes your IP as being available for use to any number of other persons.

Simply waiting for someone to connect to the daemon prob wont get your cracker, maybe only one of his pal's pal's pal.

When I came to work where I am now, there was an Oracle server on the network running Red Hat 6.0. I logged in, poked around the logs etc and happened to notice a ddos daemon running. Comprimised? Yes, syslog was not working, ps showed false processes (masked the daemon) and, a mass of other problems. The box was sitting connected to the Internet without anything to stop the nasties from getting in. When I asked how long it had been comprimised they responded "There is something wrong with it?"

Anyway...a little humor.

Wipe out the machine, start over new.   :Twisted Evil:   <- I love that emoticon

----------

## Koon

I think chmod is not looking for advice on what to do now he is rooted, but rather is concerned by the fact he was running a pretty simple Gentoo setup, with regular security updates, and thought he would be protected.

There are three possible causes :

1- Unknown vuln in the wild !

That's the worst case scenario, that would mean any of us can be targeted too. But given the low hacker profile (why on earth would you deface a website *and* install a DDOS client ? DDOS client must keep a low profile to stay for a long time) I think case 2 or 3 are most likely

2- Known vuln in kernel/software used

Surely chmod didn't post his entire config, and maybe he installed from source/binary a package on which a vuln exist, that was not updated by portage, and a root-script exploits it.

3- Hole in config or PHP programs or weak password...

Like maybe something has been done in the FTP config (or others, like running ExtreMail under root priviledges, I don't know) which allowed for the intruder to gain access. If it's not a really common error, it may mean a medium/high-profile hacker, which contradicts the point I made in (1)  :Smile: 

As a conclusion, we sure hope there is no unknown vuln in the wild in a common package, but we cannot help you without an intimate knowledge of everything that was done and installed on your machine, the physical context around it, etc...

Good luck !

-K

----------

## Vancouverite

Judging by the damage done I think it's fair to say this wasn't a very sophisticated hacker. Probably a scripted exploit or a bad cgi script allowing arbitrary command execution and they just ran an xterm pointed at their IP. Without knowing the configuration of everything the how is anyones guess. Better luck next time.   :Wink: 

[edit] You might want to take a look at User-mode Linux

[another edit] After you have re-installed everything run a good nessus scan and deal with any issues it reports.

----------

## xedx

best bet with be a local user compromise or a weak password

----------

## paul138

I think though that part of the problem lies in how the system is customized eg. USE flags.

The USE flags play alot with how things are compiled and configured. Say you had ldap, mysql and pam in your USE; your Pure-FTP daemon would be built with extra functionality. When I go to the Pure FTP website and look for this info, the first thing I see in the docs is:

```

If you never heard about LDAP before, *DON'T* enable LDAP support in

Pure-FTPd. LDAP is useless if you don't have to manage many shared accounts.

```

It says the same thing as well for MySQL support. OK, so they dont say anything about it being insecure, but how much has this functionality been tested as opposed to the daemon as a whole which has probobly been tested much more.

Now you have this added functionality which has not been thuroughly tested in some packages and it's live to the Internet.

Of course, I'm not saying the Pure FTP guys dont test their code, nor am I picking on the program. It's only an example (NO FLAMES). I'm also not picking on portage. What it all boils down to is being careful with your flags.

Maybe it's possilbe to run a Gentoo system like your average run-of-the-mill Linux distro where you download packages and install them (eg. RPM)? Certainly it is (in theory), you keep a local build of your remote system(s) and build the packages (static if needed) and install them with the -k option. While I have not tested this 100% I am willing to try it out and report my findings.

There are currently 20 Gentoo systems (servers) in this office and 4 in production (last I counted). So I have plenty to play with.

Maybe a little more involvment in the Gentoo-Hardened project would be an asset (I dont see a lot of activity).

In the meantime, be carefull with those USE flags, they may be adding very experimental code to production systems!

-P (A Gentoo BOFH)

----------

## Dalrain

Hmm....so I was thinking on this, and I was wondering what kernel version you were running?   emerge -u world will download and unpack the source, but of course not do any special installation in that regard.  If you were one of the people using gentoo-sources that couldn't upgrade due to the IDE code (and still cannot, such as myself...) then perhaps you still had the local exploit open from a bit back?

Also, I'm not sure just how important this box is, but you could always use a machine with networked logging, or go with the old trick that kills trees....set up an old, old, printer and have it print logs.  If it's just a little user box, then perhaps that's a little extreme...but hey, it's a little hard to delete paper unless they're there.  :Smile: 

I also agree on the above comment about USE flags.  grsecurity is a savior IMHO as well.  ACLs = teh win   :Very Happy: 

----------

## paul138

 *Dalrain wrote:*   

> Hmm....so I was thinking on this, and I was wondering what kernel version you were running?

 

The exploit was local (you needed to log in first) so, maybe they cracked into a user account and went from there. Another reason to take gcc off of the machine.

 *Dalrain wrote:*   

> Also, I'm not sure just how important this box is, but you could always use a machine with networked logging, or go with the old trick 
> 
> 

 

You could also use networked logging ( a little tricky, but easy once learned) with syslog-ng. You could also impliment snort on another machine with a one-way sniffing cable (do a Google).

----------

## gigel

i do not think gcc is a issue here...

when someone managed to break into your server,it'just not imprtant if u have or not gcc installed..tha basic ideea is that the cracker got acces to your box,and therefor it is compromised..i think it is senseless trying to encrease secutiry from this point(once the cracker is loged into the box)...

so i prefer to let gcc on my box instead of heaving outdated software...

the ideea is to prevent the remote attackers!!

local users can be easily managed

just chmod 700 /bin /sbin /usr/bin /usr/sbin u.s.w...  :Very Happy: 

main problem in security is remote attacks,not the local ones...

another security increasing option is to modify the source code of the servers...what do i mean by that...well 

lets take apache for instance..supose we have installed apache 1.3.27..but we want the cracker to think we're using apache 1.3.13 or even IIS ...if we manage to do that we put the cracker on a bad path..looking for exploits for another version...this may sound stupid but it's not...imho  :Razz: 

i bet this is a verry well used tehnique...just take a look at netcraft and make some searches...who the heck is using apache 1.3.1x nowdays??

//edit:if u look at the screenshot in my signature u get what i mean..that was so simple to do..now i'm on researching how to modify apache  :Razz: 

----------

## paul138

 *mortix wrote:*   

> i do not think gcc is a issue here...
> 
> when someone managed to break into your server,it'just not imprtant if u have or not gcc installed..tha basic ideea is that the cracker got acces to your box,and therefor it is compromised..i think it is senseless trying to encrease secutiry from this point(once the cracker is loged into the box)...
> 
> so i prefer to let gcc on my box instead of heaving outdated software...
> ...

 

So, in short, you would not mind that they could emerge packages, build kernel modules or simply eat up 100% of your processor?

----------

## gigel

 *paul138 wrote:*   

>  *mortix wrote:*   i do not think gcc is a issue here...
> 
> when someone managed to break into your server,it'just not imprtant if u have or not gcc installed..tha basic ideea is that the cracker got acces to your box,and therefor it is compromised..i think it is senseless trying to encrease secutiry from this point(once the cracker is loged into the box)...
> 
> so i prefer to let gcc on my box instead of heaving outdated software...
> ...

 

yes,you're right  :Wink: 

if they could manage to get to this level(just login into my box)

it means that my effort of securing my server was useless

once you're cracked(of course u should realize it) there is no alternative but to reinstall .........

if the crackers manage to break into the system they could use corrupt binaries instead of compiling them...

they could download an exploited version of (lets say) ls ...so every time you (as root) type ls u open a random port ..guess you'll get the picture...

the main ideea is:

if the cracker managed to login to your box(_this_ is the hard part)with or without gcc you are kaputt...

as a sysadmin you must prevent this from happening!!

and this has nothing to do  with gcc.....

regards!

----------

## Vancouverite

 *mortix wrote:*   

> the main ideea is:
> 
> if the cracker managed to login to your box(_this_ is the hard part)with or without gcc you are kaputt...
> 
> as a sysadmin you must prevent this from happening!!
> ...

 

Precisely. If someone gets a shell you're shit out of luck. Most hacks are due to poorly configured servers, bad CGI scripts...etc. Remember the apache.org defacement when it was rooted (by grey hats as a proof of concept) because of bad configuration settings and nothing else. Security by obscurity is a joke IMO and a false confidence booster for the lazy. Real security is about doing a lot of little things right, monitoring logs and keeping current with patches.

----------

## christsong84

 *Vancouverite wrote:*   

>  *mortix wrote:*   the main ideea is:
> 
> if the cracker managed to login to your box(_this_ is the hard part)with or without gcc you are kaputt...
> 
> as a sysadmin you must prevent this from happening!!
> ...

 

don't forget backups. (of everything...data AND logs)

----------

## ebrostig

I'm sorry to hear that you were rooted.

I would recommend using Tripwire or similar system to monitor the system.

Also, remember the following:

- Any system facing the Internet has to be considered compromised.

Based on this, store data that the users can access through encrypted connections only from the outside (where the webserver is located) to your database (on the inside). Also make use of DMZ's and 2 NIC's. Don't run any service or open any port against the Net except for the prots that are neeed (80 on a webserver, mayeb 443 for SSL). Don't accept normal login on any NIC that faces the Net.

And as other people have mentioned, scrap the disks and reformat everything, re-install from trusted sources. Your box is compromised and has to be considered until recreated.

Good Luck!

Erik

----------

## chmod

Below is the entire .bash_history from the box's root account. I was able to recover this file using debugfs on my / parition. Domain names were changed to protect my box.

```

w

id

locate httpd.conf

pwd

find / -name httpd.conf

cat /usr/local/apache/conf/httpd.conf | grep ServerName

find / -name httpd.conf

cat /usr/local/apache/conf/httpd.conf | grep ServerName

ps ax

kill -9 17371

kill -9 17208

kill -9 cd /etc

cd /etc

w

ls

cat hosts

cd /web

ls

cd domain.com

ls

cat index.htm

mv index.html index.bak.html

mv index.htm index.bak.htm

echo Perfect.BR > index.htm

ls

cat index.

cat index.htm

cd html/

ls

cd ..

cd ..

ls

w

cd domain2.com

ls

mv index.php index.bak.php

echo Perfect.BR > index.php

cd ..

cd domain3.com

ls

mv index.php index.bak.php

echo Perfect.BR > index.php

cd ..

cd domain4.com

ls

mv index.php index.bak.php

echo Perfect.BR > index.php

cd ..

ls

cd domain5.com

ls

mv index.php index.bak.php

echo Perfect.BR > index.php

cd ..

cd domain6.com

ls

mv index.php index.bak.php

echo Perfect.BR > index.php

cd html/

ls

cd /web

ls

cd domain7.com

ls

mv index.php index.bak.php

echo Perfect.BR > index.php

cd /root

rm .bash_history

ls -al

ls -la

rm /var/log

rm -rf /var/log

exit

```

Even though this evidence leads me to believe it was nothing more than a kiddie defacing some sites, I will still rebuild the box just to be sure. This time following the steps of the gentoo security doc. I have recently installed snort on the other boxes on the network, and have switched all my SSHD servers to use RSA keys instead of passwords, and only use version 2 of ssh. Thanks for the tips and links everyone. If I can post more stuff i will.

----------

## beowulf

The kid took the time to back up the files... 

Did a search on Google... 

http://www.google.ca/search?q=perfect.br&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search&meta=

It appears that it was done by a group of kids that deface web sites regularly.  Their irc channel is #perfect_br but i didn't notice a server listed.  The email is perfectbr@mail.com, which could be a fake, but appears to be the groups signature on all sites.

Apparently the group is from Brazil, or Brazillian in nationality.  Based on one of his defacements in which he writes "Perfect.BR again - No war for oil!! brazil rlz!! - perfectbr@mail.com"

Also appears that they post their members nickname on a few pages... RE: http://safemode.org/mirror/2002/01/03/www.alphaobjects.ch/

Another note, it does not appear to be a gentoo specific crack.  Since the user tried to find httpd.conf, but gentoo has been using apache.conf since 1.1 ( or earlier i believe).  So for that reason, i believe it was a standard attack... not targetted specifically at gentoo.

In any case, sorry to hear about the hack... hope you can get everything back up quickly...

----------

## Slynix

http://www.dominasecurity.com/hackerz/perfectbr.htm

----------

## puddpunk

Basically, when your running a server, the best thing to do is find versions that you need and stick to them. If you need the extra functionality that an updated version gives, or there is a security patch, then by all means, upgrade, but blindly upgrading things, especially on a closed environment like a server could spell trouble.

----------

## xedx

Have any idea which kind of exploit they used to root the box?

----------

## gilesc

emerge -u world every few days will not update your system.

This however, will:

```
#!/bin/bash

emerge sync

emerge -u world

```

Are you sure you were updating your system?

Do ensure you do a full re-build, the attacker will have installed a backdoor onto your system, and although you killed the PID any command such as 'ls' could be trojaned to restart it.

----------

## paul138

 *Slynix wrote:*   

> http://www.dominasecurity.com/hackerz/perfectbr.htm

 

Those d00ds are lam3. lol, looks like beginners.

PS: chmod Good work recovering the bash history. Too bad logs under /var could not be recovered. It's funny (sorry) to see that he kept typing w to see who was logged on.

----------

## uzik

 *chmod wrote:*   

> I am running a Gentoo 1.4 box on a dual Xeon 2.4Ghz Intel board. I installed 1.4RC2 on it and have kept it updated by emerging "-u world" every few days.
> 
> 

 

Don't do that! It puts a lot of needless load on the servers.

Trading new bugs you haven't identified for bugs you already know

seems rather counter productive to me.

 *chmod wrote:*   

> 
> 
> Tonight I went to a site of mine, to find the index page had been moved with a new one in it's place. Also the intruder kindly removed the /var/log directory, and my last year or so of logs.
> 
> Where do I start even looking to find out who did this? Is there a likely hole in gentoo because of this? I'm no security buff, but I have kept openssh updated, and have no other users of this machine.
> ...

 

A. Look for time and date stamps that are inappropriate. This

is probably impossible for you since you update everything every

week anyway.

B. Reformat and restore from the last good backup

C. Remove **everything** that isn't absolutely necessary.

D. Review your firewall script.

E. Mail the logs to yourself on another box nightly.

If they don't show up you'll know it fairly quickly.

F. The Gentoo servers are vulnerable to hackers too.

Emerge with care, you don't know what you're downloading.

G. Consider putting vulnerable services (such as dns bind)

on a separate server with write protected media. They can

hack it but if they can't write to the disk it won't matter.

----------

## paul138

I'm pretty sure we covered all of this already   :Wink: 

----------

## idl

 *Koon wrote:*   

> As a conclusion, we sure hope there is no unknown vuln in the wild in a common package, but we cannot help you without an intimate knowledge of everything that was done and installed on your machine, the physical context around it, etc...

 

There are actualy quite a lot of them... crackers don't disclose their exploits, many don't even tell their friends.

As for your logs, well thats a nobrainer with any type of illegal activity, cover your tracks.

FTP is a protocol... don't call it vulnerable, that depends on the ftpd. There are plenty of secure deamons out there. 

The sad truth is - If a cracker wasn't root on your box then they will get it. Sure you can make it damn hard for them.. but no box is impregnable.

My adivce to you is do your homework, there is a lot you can do to prevent attacks. You may also want to think about setting up a log server.

----------

## gigel

 *paul138 wrote:*   

> I'm pretty sure we covered all of this already  

 

yep,you're right..

though i must say this also

netstat -ltun is your friend....

 also nmap and nessus  :Wink: 

----------

## chrisis

 *paul138 wrote:*   

> 
> 
> Do not install X windows on a server. This has proved fatal many times (especially where web servers are concerned, it is possible to start an xterm on a remote system with the right peice of buggy code and netcat).
> 
> 

 

How do you do this?  I recently installed a box in what I planned to be a server-config, included USE="-X" in my make.conf, but emerge system still installed X.

What have I done wrong?

 *Quote:*   

> 
> 
> If possible, remove gcc alltogether. Keep a mirror of the system at your office and build the updates as packages at the office then scp them (or take them on a CDR) to the remote machine. Use emerge -k [package] to install it, no gcc needed.
> 
> 

 

Is there a way to do this but still be able to install new packages on the server?  For me this is my big dilemma with gentoo.  Installing requires a compiler, but a compiler on a server is a security risk!  Any suggestions for overcoming this paradox?

----------

## devon

 *chrisis wrote:*   

>  *paul138 wrote:*   Do not install X windows on a server. This has proved fatal many times (especially where web servers are concerned, it is possible to start an xterm on a remote system with the right peice of buggy code and netcat).  
> 
> How do you do this? I recently installed a box in what I planned to be a server-config, included USE="-X" in my make.conf, but emerge system still installed X.

 

When installing programs, use the -pv options for pretend/verbose output. Remove USE flags to get rid of X dependecies as needed. 

Another option is to make USE="-*" in /etc/make.conf and use the -pv options to add USE flags as needed.

----------

## Blahbbs

I know this has probably been beaten to death, but while 'emerge -u world' might update your packages, don't you have to restart most services for the changes to take effect? 

Say I'm running Apache 1.3.22 (maybe this is a bad example), and I keep running 'emerge -u world' everyday.  Now portage says I've got 1.3.28 on my machine.  But... isn't the running version of Apache still 1.3.22 until I shut it down and restart it?

----------

## Zombie[BRAAAINS]

Sure is.

----------

## Koon

Yep.

And when upgrading OpenSSL don't forget to restart any OpenSSL-using service, like Apache/SSL...

-K

----------

## kromo

If the hacker had been smart wouldn't he have unset HISTFILE at first?

Once an adminstrator mentioned his server wouldn't remember commands after logout which seemed suspicious and to prove this right shortly thereafter he recognized a massive increase in bandwidth...

----------

## jcmorris

 *chmod wrote:*   

> I installed 1.4RC2 on it and have kept it updated by emerging "-u world" every few days.
> 
> 

 

You did remember to emerge sync before doing emerge -u world, right?

----------

## ixion

I'm sorry for digging up this somewhat old topic, but I feel I have something necessary to add...

I think most likely it was a PHP vulnerability. I almost got nailed by one on my Web Server. Snort reported major PHP hits. I started googled for PHP security tips (mostly in configuration) and got a multitude of tips on securing that beast (for example, compile it manually with safemode enabled, set up the php.ini to only run in safe_mode, set a safe_mode_exec parameter, etc.). Also custom compiling Apache to not broadcast what it is helped a lot. 90% of attacks on my webserver are now IIS directed attacks because the lazy script kiddies can't figure out I'm using Apache, ROFL. A highly strict IPTABLES script is a must, along with DoS protection and so on in it. Snort inline is nice, too although I have yet to add that to my list of security measures. Long passwords are a must. Oh, and chrooting is really a good idea. Even though it takes a long time to setup, when done properly, it is far worth the time and effort. It took me over 2 months to finally get my web server public.

These forums should have everything you need to accomplish all the above recommendations. If you can't find it here, you will find it on google. It just takes patience. You will be rewarded in the end.  :Wink: 

----------

## soulwarrior

You could do some forensic research with sleuthkit.

Even if the attacker deleted your logs, you could be able to recover some of your files with these tool.

----------

## den_RDC

and for ultimate log security, send any critical loginfo to a good old dot matrix printer.... it's 100% hackproof, there's no way to delete those afterwards unless someone physically breaks in.

i don't do it, but i know someone who does (i am not paranoia enough)

----------

## NiXZe

/me goes out to the storage room pics up the old printer, recompiles the kernel with parport support and changes the configs... now i just will have to buy some paper  :Wink: 

----------

## Satyrinox

It happened the other day , i was finally getting somewheere with my problems , got online , started emerge sync , around an hour and a half later ,i couldnt su , then i checked my /home directory , it had been removed , tried to check my logs , removed , so i was forced to reinstall , my system was breached , my files deleted...

so i reinstalled last night and as soon as i could i emerged fwbuilder and made a nice firewall yto keep the peskies out , dunno why im saying this , but i guess for future reference  :Razz:   :Very Happy: 

and i dcant wait for the new security deal to come out ,so i can recheck everything with hopes of not getting rooted again !! 

lol anyways , peace out

----------

## viperlin

my server strangely died today too, but upon reboot nothing seems different. so i guess it's ok, nothing in logs sugesting what it was.

because of the way everything suddenly stopped leaving 1 or 2 things running it could have been an iptables segfault messing up open and closed ports or something. not sure.

----------

## Treo

Hi,

just out of curiosity...

 *Quote:*   

> eXtremail 1.5.7 POP, IMAP, SMTP (from source) 

 

how can this be? AFAIK extremail is closed-source, binaries only...

I'd love to find it become open-source... but I can't get a hold of the developer (nobody knows him by any chance, eh?)

If you really did compile extemail from source... do you still have the source? There are some nasty security problems surfacing lately... and I really like the concept of extemail... so I would be interested in fixing them etc...

Treo

----------

