Forum OpenACS Q&A: Response to Bugtraq: Oracle security

Posted by Don Baccus on
The AOLserver site recommends setting up a chroot environment and tells you how to do so.  AOLserver only runs as root long enough to grab port 80 and then drops to your "-u" user.  So you need to elevate to root to break out AFAIK.

Also AFAIK no one's managed to root or, so it's probably worth paying at least some attention to their advice.  I'm sure they've been targets of many attempts (and maybe they've been rooted and  neither they or we don't know it! might be the mother lode of warez distribution!)

As far as Oracle goes ... you talk to Oracle via the ora.c and the Oracle client library to the listener, which is running elsewhere (another process, another machine, whatever).

Ditto PG.  The client library is linked with the driver and AOLserver, but it talks to the postmaster daemon (usually via localhost when things run on one machine, at least if you're smart).

So not all that much needs to go into your chroot()'d process.

When all is said and done the non-AOLserver stuff you forget to turn off is most likely to get you.  I got rooted two weeks ago because I never got around to updating ssh on a server of mine (bad bad bad).

The good news is most of the script kiddies are just looking for someplace to dump pirated software in order to distribute it using your bandwidth.  I've had several friends get rooted over the years (including, tee hee!) and the machines have never been taken down or harmed.  Instead they start up ftp and you find your machine pegged running as many ftp downloads as it can handle without running out of swap space.  Your system gets *very* slow.

I caught these guys before that happened to this particular server (two days after they broke in) and I'm pretty sure that's what they were up to.  They didn't harm my site, database, etc.  They installed a rootkit that included versions of ps and top that hid all but a handful of processes, and a hacked ssh that apparently lets you have root access with a known password (not roots real password).

When I discovered that they didn't do anything else because I shut it down and upgraded to a much newer set of software from the ground up before plugging in the internet hose again.

Of course, if they had gotten started my bandwidth bill could've been a major embarrassment ...