Revisiting past mistakes in webhosting.

I do my own hosting for jonnyro.com, and i'm still working my way through it. It's running Gentoo Linux. It'a a fairly powerful distribution, but it requires a fair amount of attention to make sure that it stays running well.

As for server setups, I generally use the more mainstream pre-compiled distributions. I generally dont have the free time to wait for Gentoo to compile. But when Tek Alchemy came out with their Gentoo self-setup special I had to jump at the chance.

The first revision
I made a few mistakes the first time out.

The first was setting up a webserver without a seperate /tmp partition. Through the course of many php scripts it may become neccessary to create a temporary file. /tmp is usually where this happens since apache will usually be allowed to write here, but under no circumstances should it ever be neccessary to execute any file stored in /tmp. This is why you need a seperate tmp partition so that you can mount it noexec. This will prevent ANY file, ever, from being executed inside that partition.

The second mistake I made was moving over a pre-existing b2evolution installation that was a few versions back in the release cycle of b2e. It had worked fine (or so I thought) on the old webhost, so why bother upgrading right? Well, within a few days my site had been hit by a worm that exploited a vulnerability in the b2evolution xmlrpc.php file.

This worm with the combined power of mistake 1 and 2 managed to download a file called cback to my tmp partition and execute it. This file created a reverse shell out to some random IP in the middle of nowhere. This file was executing at the permission level of apache, which means that it could access any php source files that could be used to store authentication information for users, and even more likely, access codes to mysql servers used by the scripts. This is bad.

Luckily for me, one of my other partners in this webhost setup had installed an ultra paranoid grsec setup, and it captured the series of events that led to the running of cback. He had first noticed through netstat that there was a shell listening on a port that it should not have been.