On Sun, 27 Feb 2005, Jonathan Hutchins wrote:
Someone may have exploited a CGI weakness to delete all the files without having arbitrary access.
Write access to the entire disk is about as arbitrary as it gets, it seems to me. Do you have a link to an example of such an exploit? I've never heard of one, and can't imagine how it might work.
Since the machine's in Tucson, doing something like booting from a Knoppix CD isn't possible, but it's not actually necessary in order to have good confidence in the integrity of the system.
I was just trying to think of an easy way to check the system with "known clean" utilities.
One of the concepts that doesn't seem to have been caught in this discussion is that you can take a hash of your system files just like a PGP signature, and the verify that hash, either against a stored hash or the hash of a known good copy. That allows you to do a fairly easy system sweep, looking for tampered files. If the hash verifies, you really can be reasonably certain that the file has not been tampered with and does not need to be replaced.
I'd be interested in learning more about this.
Check all binaries in cgi-bin.
How would you do that? Understand that most of the web site is writen by the client, so his selection of CGI programs is something I don't fully control. I've scrutinized some of them, but sometimes he puts test scripts on it that I know nothing about. Any good methods for screening them? Mark 1 eyeall of the code is the best I've got, and at a certain level of volume and complexity it becomes less reliable.
Maybe not. Cgi-bin programs should run as the apache user, so it might not be as critical of an issue.
Again, (and again, and again), this doesn't seem to be a "rootkit". It's just a backdoor, not a kit. I have seen some of the moderately sophisticated ones, and this ain't.
I understand that there doesn't "seem" to be a rootkit. The entire mission of any rootkit is to obliterate the evidence of ingress to a hacked box and also hide it's own existence from the owner of the machine, allowing the perpetrator to utilize the installed remote access for whatever purposes he chooses. Obviously, this is the worst case scenario, but I have shown you that such security holes that _could have allowed remote root access_ existed on your box at the time(s) that the disk was wiped and the backdoor was installed. By somebody.
I'm not telling you that your machine has a rootkit installed, or even a backdoor still installed, but it's what you've got to look for. You say the box is clean and you trust the utilities, and maybe it is clean, and all the utilities are fine. I certainly can't disprove this.
I'm just saying what I would do if it were my box. I wouldn't base any decision as to the integrity of the box on the output of the utilites on the box itself.
Regards,
-Don