Security Issue
Walton Hoops
walton at vyper.hopto.org
Thu Feb 12 21:08:34 UTC 2009
Automatic updates did run at 7 a.m., but this happened at 10 p.m. Besides,
4 Gigs of updates seems excessive :-P.
I did double check the apache logs, and for good measure did a grep for
POST. Nothing... just Google Bot and some script kiddies attempt at the
roundcube exploit (I wish they'd figure out I don't run roundcube).
Your right about PHPBB being a security nightmare though, and it's not in
use anymore so I think I'll get rid of it to be safe.
Oh, the output from netstat -tap:
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 *:imaps *:* LISTEN
6925/dovecot
tcp 0 0 *:mysql *:* LISTEN
5814/mysqld
tcp 0 0 *:submission *:* LISTEN
7047/sendmail: MTA:
tcp 0 0 *:www *:* LISTEN
8568/apache2
tcp 0 0 *:sieve *:* LISTEN
6925/dovecot
tcp 0 0 *:ssmtp *:* LISTEN
7047/sendmail: MTA:
tcp 0 0 192.168.1.100:domain *:* LISTEN
5690/named
tcp 0 0 <removed>:domain *:* LISTEN
5690/named
tcp 0 0 *:ssh *:* LISTEN
5715/sshd
tcp 0 0 <removed>:ipp *:* LISTEN
5902/cupsd
tcp 0 0 *:smtp *:* LISTEN
7047/sendmail: MTA:
tcp 0 0 <removed>:953 *:* LISTEN
5690/named
tcp 0 0 <removed>:6010 *:* LISTEN
24435/0
tcp 0 0 *:https *:* LISTEN
8568/apache2
tcp 0 0 <removed>:ssh <removed>:38048
ESTABLISHED 9686/sshd: walton [
tcp 0 0 192.168.1.100:imaps <removed>:32238
ESTABLISHED 22971/imap-login
tcp 0 0 192.168.1.100:imaps <removed>:22279
ESTABLISHED 22288/imap-login
tcp 0 0 <removed>:38048 <removed>:ssh
ESTABLISHED 9681/ssh
tcp 0 17013 192.168.1.100:imaps <removed>:31897
ESTABLISHED 23859/imap-login
tcp 0 300 192.168.1.100:ssh <removed>:30936
ESTABLISHED 24427/sshd: walton
tcp6 0 0 [::]:imaps [::]:* LISTEN
6925/dovecot
tcp6 0 0 [::]:domain [::]:* LISTEN
5690/named
tcp6 0 0 [::]:ssh [::]:* LISTEN
5715/sshd
tcp6 0 0 ip6-localhost:953 [::]:* LISTEN
5690/named
tcp6 0 0 ip6-localhost:6010 [::]:* LISTEN
24435/0
nothing suspicious looking to me.
Walton
-----Original Message-----
From: ubuntu-users-bounces at lists.ubuntu.com
[mailto:ubuntu-users-bounces at lists.ubuntu.com] On Behalf Of Preston Kutzner
Sent: Thursday, February 12, 2009 1:09 PM
To: Ubuntu user technical support, not for general discussions
Subject: Re: Security Issue
On Feb 12, 2009, at 1:23 PM, Walton Hoops wrote:
> I had already checked the SSH logs, and just checked 'em again using
> the grep lines you suggested. The last time anyone sshed in was 3
> days prior, and it was me :-). Su was not used at all.
> The open services on the machine are:
> SSH - which we covered
> IMAPS (Dovecot) - Showed no unusual activity, just the usual spam
> from my filters
> STMP/STMPS (Sendmail) - Also showed no unusual activity
> MySQL - Shows only logins from Wordpress and PHPBB
> HTTP/HTTPS (Apache) - Just googlebot (my page doesn't get many
> visitors), and me checking vnstat.
Is your PHPBB installation up to date with the latest version/
patches? PHPBB is notorious for being a vector for security
breaches. It is possible someone hacked your machine through PHPBB.
I would double-check your apache logs for any odd transfers during
that time-frame. Also, do a netstat -tap to double check those are
the only services open on your box.
Outside of that, do you have your system set up to automatically
download / install Ubuntu updates? I know this is a new option in
Intrepid. It is possible that's when your system decided to run its
updates. I don't use it personally, but I believe the logs for it are
stored in /var/log/unattended-upgrades You can also check /var/log/
apt/term.log* and/or /var/log/aptitude to see if apt did anything
during that time.
--
ubuntu-users mailing list
ubuntu-users at lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
More information about the ubuntu-users
mailing list