?
Solved

ssl_mod exploit

Posted on 2006-04-28
14
Medium Priority
?
572 Views
Last Modified: 2010-08-05
Hi,

Recently we got the following notice from godday regarding our virtual server (redhat):

"Our Security Operations Center has been alerted to an issue on your 'DomainName' Virtual Dedicated Server. The server has been compromised through a vulnerability in mod_ssl, which is called through Apache's mod_proxy module. Once the server was exploited it began attacking hosts outside our network. "

"We have disabled the mod_proxy module on this virtual server. Please upgrade to the latest version of mod_ssl before re-enabling the mod_proxy modules."

Since then, we are having problems authoring our websites with Frontpage.

What does this mean?  Are we foobar?  Can we fix this?

Mark
0
Comment
Question by:msibley
14 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 16567673
What version of mod_ssl do use(http://www.modssl.org)?
upgade to newest(along with apache and dependencies like php), reinstall Your webpage (since the installed one is proably abused).
0
 
LVL 16

Expert Comment

by:xDamox
ID: 16568750
Hi,

Whats your distrobution, also if your machine was compromised I would strongly
recommend reinstalling your distribution as their is proberbly a root kit nocking about
0
 

Author Comment

by:msibley
ID: 16569662
Please help a linux novice here.

How do I determine the version of mod_ssl?

When you say "distribution" are you referring to Redhat?

How do I upgrade these packages?

So, you think a hacker gained access to the server beyond exploiting mod_ssl?  How can I ascertain if a root kit is present?

Mark

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Accepted Solution

by:
xDamox earned 375 total points
ID: 16569685
Hi,

Right to detemine your version of mod_ssl issue the following command:

rpm -q mod_ssl

you should get something back like:

mod_ssl-2.2.0-5.1.2

To upgrade this package type:

up2date -u mod_ssl

this will update mod_ssl for you.
0
 

Author Comment

by:msibley
ID: 16573272
I get mod_ssl-2.0.51-2.9.1.swsoft

Can I update the swsoft version with up2date?
0
 
LVL 16

Expert Comment

by:xDamox
ID: 16573466
Hi,

Yea just try:

up2date -u mod_ssl
0
 

Author Comment

by:msibley
ID: 16573564
When I enter that command, I get the following response:

bash: up2date: command not found
0
 
LVL 16

Expert Comment

by:xDamox
ID: 16573717
What version of redhat are you using?
0
 

Author Comment

by:msibley
ID: 16573808
Linux 2.4.20-021stab028.3.777-enterprise

with Plesk psa v7.5.4_build75051014.16 os_FedoraCore 2
0
 
LVL 16

Expert Comment

by:xDamox
ID: 16573899
Ahhh your running Fedora Core 2 :) type this as root:

yum update

That will update all your packages to the latest builds which will resolve all security issues :)
0
 

Author Comment

by:msibley
ID: 16573936
guess what?

bash: yum: command not found
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16575386
> How can I ascertain if a root kit is present?
> That will update .. which will resolve all security issues :)

if your server was compromised and you cannot asure that there is no root kit, then install your server from scratch.
After installing from scratch copy your data from a backup media where you're sure that it is not compromised, don't copy anything from your current system.
Anything else is insecure.
0
 
LVL 17

Expert Comment

by:Dushan De Silva
ID: 16576991
Try to use real Ip other than virtual ip.

BR Dushan
0
 

Author Comment

by:msibley
ID: 16585789
So, how do I install yum?

Mark
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question