[aclug-L] Re: Problems

["Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>]

> -----Original Message-----
> From: discussion-bounce@xxxxxxxxx=20
> [mailto:discussion-bounce@xxxxxxxxx] On Behalf Of Jeff Vian
> You should be able to tell what exactly happened and when by the logs
> and by the file timestamps.

I've got a pretty good idea of when, by looking at the web traffic logs. =

=20
> There is a known weakness in some of the phpbb code, and postnuke as
> well unless you have the latest code updates installed.

Unfortunately, I'm lagging a bit behind in patching them. Currently the
webserver is offline until I get them patched.

> I don't know of any explicit weaknesses in the latest apache, but
> definitely in php code if not up to date.
>=20
> Who owned the directories and files that were overwritten?  If they
> belonged to apache (or rather the user the web server runs as) then
> anyone able to exploit the code weaknesses can write in those
> directories.

It's mixed. Some directories are owned by the webserver and some aren't. =


> And spam is a weakness that should be limited by requiring anyone
> sending mail thru the web interface to be logged in.  If=20
> yours does not
> then you should consider fixing that.

I think it was more a case of running malicious code as the webserver =
user
to do the mailings. Since the webserver user sent the mail, all the =
bounce
messages came back to me since the webserver's email aliases to me. Had =
they
picked some unknown user, I probably wouldn't have seen them as they =
would
most likely have been rejected as an unknown user. (I've gotta figure =
out
how to implement tighter security on my mailer.)

If you notice my message to Steven Saner, I was root kitted. Now I'm
paranoid. :) I thought I had things set fairly secure, but I guess not.
It's always the little things that bite you in the butt. ;)

--Dale
  =20


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi