[nycbug-talk] Searching for suspect PHP files...

Marc Spitzer mspitzer at gmail.com
Wed Mar 11 23:48:21 EDT 2009


On Wed, Mar 11, 2009 at 7:41 PM, Matt Juszczak <matt at atopia.net> wrote:
>> Well if it really is keeping you up at night you can do the following:
>> 1: reinstall the box from cds, feel free to make your own if you want
>
> I'm still a bit confused.  Most root kits overwrite your system binaries
> correct?  So what would the negatives be to installing a 6.3-RELEASE system
> somewhere, somehow either checksumming or building an mtree of the files in
> /sbin, /usr/sbin, /bin, /sbin, etc. and comparing to the existing system
> (ignoring modification time of course).  Shouldn't my FreeBSD 6.3-RELEASE
> system be identical in system binaries to any other 6.3-RELEASE system other
> than mtime?

it should be fine as long as you never patched anything, and that is
its own issues.  The real issue is not if you got rooted but how did
you get rooted, if you did.  Also I can own you out of /usr/local, php
and friends are not in the base system.  And it is also doable to root
you with a Kernel Loadable Module that in kernel space you can do all
sorts of games with to hide from the system.  Or I get one of your php
files to spawn off nc and give me a shell on the system.  Another nice
one is add a key to autherized_keys.

The thing is most of your exposure is your php website, how are you
managing that?  Much of the php code out there was not written by
experts from MIT but by people who code in ee, think notepad but
worse, and have never had any formal training in CS/Programming.  Are
you using any of their code?  And I do not mean you but the modules
you may pull in from ports or the internet.

Now if you read the rest of my note:
<quote>
This does not mean you do not take reasonable precautions to minamize
your risk, ie mtree, dir tree in temp, runing apache/web in a zone and
the list goes on.  But befor you start down the security rabbit hole
set up a budget X dollars or Y hours for setup/training and Z hours
for monitoring daily/weekly.  Then do as much security as you can
afford.
</quote>

I specificly said mtree was a reasonable thing to do so please go do
that.  My main point was that it costs a lot to be "really" secure and
are you sure you want to pay it, and even if you want to is the best
place to spend the money?

night,

marc
-- 
Freedom is nothing but a chance to be better.
Albert Camus



More information about the talk mailing list