Posted by pittendrigh on 01/12/07 16:32

I recently (this morning) had a university sever hacked.
This was a root compromise. The box is now disconnected.

This Suse10.1 linux box runs apache2, php5 and tomcat_4_something.
We haven't had time to examine the logs....to try and figure out
how this happened. We will.

This box is behind a firewall that allows email, ssh, port80 for apache
and port8080 for tomcat only. It seems most likely (just guessing at
this point)
that they must have used a buffer overlow, related to interactive
forms, that
run from both php5/apache and tomcat.

So here's my question:
If this does turn out to be a buffer overflow, how do you avoid this?
We look at GET parameters and (some, not that many actually)
POST parameters.

All of this processing needs to be examined and run through some
sort of a "clean" function, to strip out all but alphanum input.
But what about parameter length and size?

How does that work? Should this proposed new 'clean' function,
for sterilizing all input, also truncate input to a maximum parameter
size?
Or better yet reject over some threshold size.....
How big? ........seems like something that could/should be controlled
in a config file.

Any informative help would be greatly appreciated.

[Back to original message]