Server hacked?

[Joris Dobbelsteen]

>-----Original Message-----
>From: ubuntu-users-bounces at lists.ubuntu.com 
>[mailto:ubuntu-users-bounces at lists.ubuntu.com] On Behalf Of Res
>Sent: Wednesday, 2 January 2008 2:43
>To: Ubuntu user technical support,not for general discussions
>Subject: RE: Server hacked?
>
>
>On Wed, 2 Jan 2008, Joris Dobbelsteen wrote:
>
>> contained to a very limited set of my system. The processes 
>are of the 
>> user www-data. So it seems a web site has been hacked instead. (Count
>
>Your more important priority is to locate how they got in, 
>else fixing the system is pointless.
>
>Do you run php, if so what type of programs? Gallery? phpnuke?

The exploit was found. System runs PHP with Joomla.
It seems there is an exploit here.

>> At least there are some lessons in this:
>> * Use one-user-per-website only (easier auditing).
>
>Good idea...
>
>Dirs should be 710 for htdocs root
> 	eg:  chmod 710 /var/www/vhosts
> 	     chmod 710 /var/www/vhosts/example.com
> 	     chmod 710 /var/www/vhosts/example.net
>
>Ensure the users who own those domains are the only ones with 
>access, except group must be web server.
> 	eg:  chown -R jack.apache /var/www/vhosts/example.com
> 	     chown -R jill.apache /var/www/vhosts/example.net
>
>
>Use  suexec in every virtualhost block in Apache
>         eg:   SuexecUserGroup  jack apache

I'm still failing to see how this provides security and what the
implications are. I'm also a bit puzzled how suexec affects file
accesses (those without scripts). I did use CGI and not the webserver
loadable PHP library but didn't get suexec to work to my liking.

>and lock down php... eg:
> 	open_basedir =/var/www:/tmp:/usr/local/lib/php
>
>disable_functions = exec, shell_exec, system, virtual, 
>show_source, readfile, passthru, escapeshellcmd, popen, pclose, phpinfo

Doesn't this break a lot of application? From what I know, at least
Gallery2 does execute shell commands...

Sincerely,

- Joris