Topic: server hacked

[alex]

hy,

my e-smith server was only for two month -behind a bsd firewall-online,
and got hacked by someone who installed a php-shell (nice) ((

are there any known security wholes in the apache (i installed the latest rpm´s) or in the mysql database????

thx

[Rich Lafferty]

Alex,

I'll contact you shortly by email in order to suggest steps
to follow in order to determine how your system was compromised.

In future, though, please report incidents such as potential compromises directly to us at

  security@e-smith.com

to ensure that we are able to properly attend to the problem,
and to avoid exposing other SME Server users to unnecessary
risk.

Thanks,

Rich Lafferty
Network Server Solutions Group
Mitel Networks

[Confucius]

Rich,

I agree that people should report this but I like to be aware of these things too, just like a lot of other people around this (messy) globe.

I'm happy you are willing to help out right away but isn't it good to let people be aware of these incidents ???

To me it seemed as if you didn't want this message to be posted here and that's what I like to prevent. E-Smith started as an open structure and by such a response I get this weird feeling that this will end soon. (I hope not)

If you don't disagree I like to rephrase it to something like this :

Place your findings inhere and send also an e-mail right away.

Grtx,

Harro

[Dan Brown]

The point of this request is, in the event there is a vulnerability in the e-smith/SME system, to avoid publicizing it before they have developed a fix for it.  This is nothing new; Charlie, Gordon, and the rest of the e-smith team have been requesting this for quite some time.

[Confucius]

Hi Dan,

It crossed my mind for a moment too... But better to bring it up as to wander around with the question is my motto.

At least I have found my answer, maybe others see this thread too so there doesn't have to be any doubt anymore.

Thanx for the quick and positive reply.

Regards,

Harro

[Jean-Philippe]

That brings back the old story of full disclosure...

[Rich Lafferty]

Confucius:

No, I meant that reports of possible compromises should only be sent only security@e-smith.com. We're not planning on taking the information and hiding it; we know that that would not be in your best interests or in ours.

We *are* interested in finding the problem, helping the admin
of the compromised server secure his machine (or at least identify the problem to avoid repeating it on a freshly-installed system), preparing a workaround, and informing customers and the developer community once armed with reliable, verified information about the problem.

Obtaining that information is not always a quick process. In requesting that admins who believe their server to have been compromised inform us first, we can do our best to ensure that
the public announcement of the vulnerability contains the information necessary to understand it and prevent its exploitation on other systems.

Knowing that a server has possibly been compromised, with no idea as to the scope of the compromise, the nature of the vulnerability, and whether or not any other systems have been exposed to that vulnerability, is little good to anyone involved.

Jean-Phillipe:

Full disclosure does not mean announcing publicly that a single
server has been compromised; that's not in anyone's interest,
especially not that of the person whose server has been
compromised.

Full disclosure is about not only explaining that a vulnerability
exists, but the details of the vulnerability (whether in terms
of "here is the problem" or "here is the exploit"). In this
particular case, no-one knows what the vulnerability is (or even
if the server was exploited through a software vulnerability).
As it turns out, the majority of reported compromises are unrelated to SME Server as it is shipped -- instead being caused by locally-installed and unsupported software which is poorly written or misconfigured, or misunderstandings about the normal operations of the server.

I encourage you to read the definitions of Full Disclosure
(0.1.6) and of Security by Obscurity (0.1.7), and the recommended protocol for reporting security problems (0.1. in the BUGTRAQ FAQ, at
 http://www.securityfocus.com/popups/forums/bugtraq/faq.shtml#0.1.6

At no time will we ever be concealing security problems from our customers and developer community -- but there seems to be little
benefit in creating fear by announcing rumors of possible
vulnerabilities before taking the time to determine what
the vulnerability, if any, *is*.

Essentially, full disclosure means detailed information, and in requesting that users who think they have been compromised contact us first, we aim to be able to provide that information rapidly and reliably while minimizing other servers' exposure risk.

I hope this clarifies our position with regards to reports of compromises.

Warm regards,

Rich Lafferty
Network Server Solutions Group
Mitel Networks

[Rich Lafferty]

With Alex's cooperation, we have been able to investigate this
compromised server and verify that the vulnerability exploited
was not in SME Server as distributed, but was a recently-published
vulnerability in PHP-Nuke. Further, due to the nature of the
vulnerability, the intruder was only able to obtain access
to the server as the "www" user, and not as the superuser.

While PHP-Nuke is neither supplied by nor supported by
Mitel Networks, we have published a security advisory on
it to inform our users of the recent string of reported
vulnerabilities in the software. That advisory is available
at

    http://www.e-smith.org/article.php3

Mitel Networks would like to thank Alex for his cooperation in
investigating this issue.

Warm regards,

Rich Lafferty
Network Server Solutions Group
Mitel Networks