| Bryzn007 | what hot server backup do you use that is effective for server runing Zimbra? which can be easy to restore in case of catastophic hardware failure? | 01:42 |
|---|---|---|
| === G_ is now known as G | ||
| {bosco} | so i have setup my apache2 server and now when i go to boscosworld.com it says i do not have permission to view this page on the server ? any help ubuntu 17.04 | 03:46 |
| {bosco} | thank u | 03:47 |
| Bryzn007 | adjust permissions, this may help you https://serverfault.com/questions/357108/what-permissions-should-my-website-files-folders-have-on-a-linux-webserver | 04:17 |
| {bosco} | Bryzn007 i went through that entire page and nothing | 04:30 |
| {bosco} | no change | 04:30 |
| cpaelzer | good morning | 05:40 |
| lordievader | Good morning | 06:23 |
| === jelly-home is now known as jelly | ||
| rbasak | cpaelzer: o/ | 07:35 |
| rbasak | cpaelzer: I fear I won't finish catching up this week :-/ | 07:35 |
| rbasak | cpaelzer: anything I should prioritise? | 07:35 |
| cpaelzer | rbasak: hiho | 07:36 |
| cpaelzer | rbasak: I'm working on libvirt dev bugs atm, nothing from me you could unblock | 07:38 |
| cpaelzer | maybe some SRUs but that I'd leave to the normal SRU rotation | 07:38 |
| rbasak | OK, thanks | 07:38 |
| dpb1 | hey rbasak, w/b | 14:13 |
| === JanC_ is now known as JanC | ||
| fishcooker | how to get detail of process when i have the pid ? | 16:21 |
| dpb1 | fishcooker: ps -p 1 -f <other flags here> | 16:26 |
| dpb1 | note, ordering is important for some of the flags. ps is an OLD command. :) | 16:26 |
| MASM | Hello, I have a problem whit some hacker or some scripts that hacker installed in my server, but i don't know where find it, some times appear 3 files "on.php, up.php, access.php", in "/var/www/website.com/public_html/on.php" owner by "www-data" user, but what can I do with this?, i have a script run every 5 minutes to delete it, but how can I detect the bulneravility? | 17:37 |
| MASM | files contain base64 code | 17:38 |
| nacc | MASM: take your server offline | 17:39 |
| nacc | MASM: you can't trust anything on it at this point, if you don't know where those files are coming from | 17:39 |
| MASM | yes, but i can't take it down, it need to be on all day, i need | 17:53 |
| nacc | MASM: you definitely don't *need* a corrupt, hacked server | 17:53 |
| MASM | tips to solve this | 17:53 |
| MASM | it is only in that folder, and after get down the server what i need to do? | 17:54 |
| nacc | MASM: you have no idea what else is running or happeninng on your server | 17:54 |
| nacc | MASM: it seems like, which means you don't know the extent of damage done | 17:55 |
| mike-zal | monitoring tools are needed to anylize what is happening, but for that you need sysadmin who knows linux enough to recognize some atypical things | 18:00 |
| mike-zal | if you have no way to resolve it, doing a copy of your stuff and reinstalling things, focusing on securing server and then restoring back of your content is the best solution. find some hosting where you can temporary move your site and clean your server MASM. worse, if the problem is placed somewhere in your site... but you will find out about it eventually if you clean your server.. | 18:02 |
| MASM | I have been going crazy, looking for what they have modified the server, but the only thing that know is that they have made me an "Mass Desfase", they are a "White hat" | 18:12 |
| MASM | create files in that folder, and up that files php, and change the files of the domain | 18:13 |
| RoyK | MASM: pastebin those php scripts - if you want to see what's running them, check the webserver log, it should give you you an ip address | 18:13 |
| RoyK | MASM: also, check the timestamp on those files | 18:14 |
| RoyK | that is, at least don't edit them before you have the timestamp | 18:14 |
| RoyK | just ls -l /path/to/file | 18:15 |
| MASM | thay are in base64 and are like "forms uploading files" | 18:15 |
| MASM | -rw-r--r-- 1 www-data www-data 28 Sep 16 06:47 /var/www/mysite.com/public_html/on.php | 18:15 |
| MASM | this is one | 18:15 |
| RoyK | that's only two days old | 18:15 |
| RoyK | check the webserver logs - apache? | 18:15 |
| RoyK | but pastebin one anyway: cat /var/www/mysite.com/public_html/on.php | pastebinit | 18:16 |
| RoyK | which version of ubuntu is this? | 18:18 |
| MASM | 14.04 | 18:20 |
| tomreyn | 14.04.0 or 14.04.1? or something else? lsb_release -sd should tell | 18:21 |
| MASM | but i delete the file, well my script delete it, i have a script running every 5 minutes and if it detect that files it remove all | 18:21 |
| tomreyn | what makes you think that ths is a "White hat" "Mass Desfase"? | 18:22 |
| MASM | Ubuntu 14.04.5 LTS | 18:22 |
| MASM | the edited the index.php with their logo | 18:22 |
| dpb1 | MASM: did you unplug the server from the network? | 18:23 |
| tomreyn | may one of the many intruders did that, and the others got root? | 18:23 |
| MASM | and i found them in facebook, and in their biography i find my website | 18:23 |
| tomreyn | indeed unplugging it from network is the first thiing to do | 18:23 |
| MASM | i have jail2ban with ssh | 18:24 |
| tomreyn | you allowed it to get compromised, now you need to deal with the downtime | 18:24 |
| MASM | i think they can get access with root, and i change the password every week | 18:24 |
| RoyK | well, the box has been compromised - if they have gotten root accesss, reinstall | 18:24 |
| tomreyn | changing the root password weekly wont prevent privilege escalation | 18:25 |
| RoyK | there's a zillion ways to make a root backdoor once you're in as root | 18:25 |
| RoyK | MASM: btw, are the files under /var/www owned by www-data? | 18:25 |
| RoyK | and do you have a backup? | 18:26 |
| MASM | yes i have backups | 18:26 |
| RoyK | very good | 18:26 |
| lordcirth_work | Reinstall the server, salt state.apply, restore backups if needed, watch auth.log like a hawk? | 18:26 |
| RoyK | but just take down the box and reinstall it | 18:26 |
| MASM | i installed clamv to see if there is a malicous file | 18:27 |
| lordcirth_work | And make sure you're up to date | 18:27 |
| tomreyn | lordcirth_work: did s/he say s/he uses salt stack? | 18:27 |
| lordcirth_work | whoops, wrong channel lol | 18:27 |
| lordcirth_work | #salt is the other tab, lol | 18:27 |
| tomreyn | :) | 18:27 |
| MASM | i don't use it e-e | 18:28 |
| MASM | oh! | 18:28 |
| RoyK | lordcirth_work: if the php files and their dir(s) are owned by www-data, it's possible to change those using a seurity hole if one exists in another php file | 18:28 |
| lordcirth_work | In future, I would strongly recommend using some sort of configuration management | 18:28 |
| mike-zal | MASM: some articles claim that on tests, clam av showed one of the worst detection rate of both win and linux malware. | 18:28 |
| * RoyK likes ansible | 18:28 | |
| mike-zal | there are many more efficient antivirs for linux thou | 18:28 |
| lordcirth_work | mike-zal, any suggestions? | 18:28 |
| MASM | and don't know another antivirus | 18:28 |
| mike-zal | ansilble is awesome. have to learn it | 18:29 |
| lordcirth_work | I prefer Salt. But either is much better than nothing | 18:29 |
| RoyK | MASM: it's probably not a virus - there aren't too many of those for linux | 18:29 |
| RoyK | MASM: and any file can be malicious without clamav finds out - it's not *that* smart | 18:30 |
| MASM | i use a php find base64 | 18:30 |
| mike-zal | lordcirth_work: here is the article, it's a bit dated thou: https://www.csoonline.com/article/2989137/linux/av-test-lab-tests-16-linux-antivirus-products-against-windows-and-linux-malware.html | 18:30 |
| MASM | to see if there is more files | 18:30 |
| lordcirth_work | Your website might now be redirecting people to viruses, though... | 18:30 |
| mike-zal | but you have there some list of potential av software for linux lordcirth_work | 18:30 |
| RoyK | MASM: well, at least take the machine offline | 18:31 |
| lordcirth_work | Thanks | 18:31 |
| MASM | RoyK ok i will | 18:31 |
| MASM | and i going to reinstall all, | 18:31 |
| MASM | i was thinking to use docker | 18:31 |
| RoyK | probably a good idea, quite possibly on 16.04 to get something fresher | 18:32 |
| lordcirth_work | Yes, if you're reinstalling you should try 16.04 | 18:32 |
| dpb1 | MASM: were you keeping packages up to date, and making sure to reboot onto new kernels regularly? | 18:32 |
| tomreyn | MASM: good choice (about taking it offline and reinstalling). once it's offline make sure you got complete and current backups, and that the backups aren't compromised either. | 18:32 |
| RoyK | MASM: and before it's online, setup ufw to only allow what you need | 18:33 |
| MASM | dpb1: yes i do that updates | 18:33 |
| lordcirth_work | I prefer shorewall to ufw | 18:33 |
| RoyK | lordcirth_work: well, I beleive ufw is easy, and the iptables rules it writes, isn't bad | 18:34 |
| lordcirth_work | RoyK, I have never gotten ufw to behave the way I expect it to, I don't know why. Maybe it's just me. Last time I tried I gave up and wrote the iptables myself | 18:35 |
| MASM | i have some security, like ufw, with only ports that i use, jail2ban, apache (mod_security and mod_evasive) | 18:35 |
| mike-zal | MASM: interesting article: https://likegeeks.com/secure-linux-server-hardening-best-practices/ | 18:35 |
| RoyK | lordcirth_work: depends what you need, though. ufw is quite simple, but I use it for most my stuff | 18:35 |
| mike-zal | that's aside standard security measures. | 18:36 |
| RoyK | MASM: this php thing you're running, is it developed in-house or is it some standard package? | 18:37 |
| MASM | the script that i find in internet to find files .php with base64? | 18:38 |
| MASM | RoyK : https://github.com/mikestowe/Malicious-Code-Scanner/blob/master/phpMalCodeScanner.php | 18:39 |
| MASM | example of malocious code php https://aw-snap.info/articles/php-examples.php | 18:40 |
| MASM | well thanks to all, i will reinstall all, and get more security to the users | 18:42 |
| RoyK | MASM: no, I meant the webapp | 18:42 |
| MASM | oh, it is drupal 7 | 18:43 |
| RoyK | oh, drupal | 18:44 |
| * RoyK has never liked that | 18:44 | |
| RoyK | MASM: has drupal been updated lately? it has a rather bad reputation for exploits | 18:45 |
| MASM | RoyK: some modules are update others no | 18:48 |
| RoyK | https://www.exploit-db.com/exploits/41564/ | 18:49 |
| tomreyn | that's a specific third party drupal module, not in core. | 18:51 |
| RoyK | tomreyn: yes, but MASM said not all mods were updated, which may imply third-module stuff that you have to update manually | 18:51 |
| tomreyn | right, but there are plenty of modules, and many of them have vulnerabilities in some versions. i'm just saying you made a wild guess there. | 18:52 |
| RoyK | I did, and thus I pointed to an exploit | 18:53 |
| RoyK | I didn't say he was using that particular module | 18:53 |
| tomreyn | ok, i just wanted to put some context around this URL. | 18:54 |
| RoyK | anyway - I home MASM will keep an eye on drupal for later to better avoid such things | 18:54 |
| MASM | i think that, because only in the folder that is drupal, they can create files, with www-data, i think it means that they don't have access to some user of linux, and maybe they are using php injection or something like that | 18:56 |
| MASM | or exploit like Royk says | 18:57 |
| tomreyn | it'd be a good idea to run something other than mod_php, e.g. fpm, since thsoe other models allow more fine grained security restrictions. also disable some dangerous php functions unless you strictly need them. | 18:57 |
| sdeziel | it's also good to restrict where the www-data use can write (typically only needed for some caches and upload dirs) | 18:57 |
| nacc | sdeziel: fyi, i'm doing the import of tor and and adding it to our autoimport list | 18:59 |
| tomreyn | php_admin_value[disable_functions] = exec,passthru,shell_exec,system,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate | 18:59 |
| tomreyn | use those by default, and only remove what's strictly needed, only for those sitzes that need it. | 19:00 |
| sdeziel | nacc: thanks! | 19:00 |
| nacc | sdeziel: np, thank you! | 19:01 |
| ahasenack | hm, I got a package which has a debian/patches/00list file instead of debian/patches/series | 19:20 |
| ahasenack | is that from an old quilt version, or before quilt even? | 19:20 |
| ahasenack | current quilt doesn't seem to even look for 00list | 19:21 |
| nacc | ahasenack: depends on how it's built, is it 3.0 (quilt)? | 19:21 |
| ahasenack | no such file there (debian/source/format) | 19:21 |
| ahasenack | could it be dpatch? | 19:22 |
| ahasenack | there are two patches there, and they have DPATCH in their headers | 19:22 |
| ahasenack | @DPATCH@, even | 19:22 |
| ahasenack | include /usr/share/dpatch/dpatch.make | 19:22 |
| ahasenack | meh | 19:22 |
| nacc | ahasenack: ah, then it's a 1.0 | 19:22 |
| nacc | ahasenack: or could be using dpatch | 19:23 |
| 07IAA32V7 | sorry my computer die | 19:29 |
| MASM | sorry my computer die, thanks to all | 19:29 |
| MASM | for help me | 19:29 |
| hehehe | hi | 21:24 |
| hehehe | I am playing with xdotool | 21:24 |
| hehehe | xdotool windowactivate 23076341 | 21:24 |
| hehehe | XGetWindowProperty[_NET_WM_DESKTOP] failed (code=1) | 21:24 |
| hehehe | wheyyy | 21:24 |
| hehehe | :) | 21:24 |
| hehehe | i can do windows close | 21:25 |
| hehehe | chromium | 21:25 |
| ahasenack | can I use a dep3 header in an old dpatch patch? | 21:31 |
| nacc | ahasenack: from dep3 itself: "For patch-systems like dpatch that require the patch to be a standalone script, the shebang line is ignored and it is possible to put those fields in comments. The line should then follow the format "# <field>". For multi-line fields, the subsequent lines should start with "# " (hash followed by two spaces) so that they start with a space once "# " (hash followed by a | 21:33 |
| nacc | space) has been stripped from the beginning." | 21:33 |
| ahasenack | the lines start with "## DP:" actually | 21:34 |
| ahasenack | I was going to add the dep3 bits prefixed with "## DP:" | 21:34 |
| nacc | ahasenack: i think those linens are actual dpatch lines | 21:35 |
| nacc | ahasenack: whereas the above is referring to just putting unparsed comment sin | 21:35 |
| nacc | ahasenack: i really don't know and dpatch is deprecated :) | 21:35 |
| ahasenack | it starts with "## All lines beginning with `## DP:' are a description of the patch." | 21:35 |
| ahasenack | nacc: yeah, but for an sru I'm not going to change the patch system :) | 21:35 |
| nacc | ahasenack: yeah, i agree -- i'm just saying i don't think it actually parses DP: | 21:36 |
| nacc | ahasenack: easy enough to check | 21:36 |
| ahasenack | said the last person going into the woods to check that noise | 21:36 |
| nacc | well, that implies someone was there to hear it! | 21:37 |
| nacc | otherwise, they're just a tree falling in the woods | 21:37 |
| ahasenack | funny how that has been interpreted in the past: (not my comment, yours) | 21:37 |
| ahasenack | ## All lines beginning with `## DP:' are a description of the patch. | 21:37 |
| ahasenack | ## DP: This patch makes sure Makefile references -lpam | 21:37 |
| ahasenack | ## to insure correct linking | 21:37 |
| * ahasenack checks what patch-template does | 21:38 | |
| nacc | ahasenack: yeah, i suppose for minimzing the cognitive noise, i'd just follow the existing template | 21:39 |
| ahasenack | it repeats DP: | 21:39 |
| nacc | ahasenack: oh i wonder if DP: is what `dpatch cat ... ` uses | 21:39 |
| ahasenack | "easy enough to check" | 21:39 |
| ahasenack | :) | 21:39 |
| ahasenack | yes | 21:40 |
| ahasenack | debian/patches/02_libpam.patch (): | 21:40 |
| ahasenack | This patch makes sure Makefile references -lpam | 21:40 |
| ahasenack | it's missing "to insure correct linking" | 21:40 |
| ahasenack | good catch | 21:40 |
| nacc | ahasenack: yeah the manpage says it does length stripping automatically, etc. | 21:41 |
| nacc | ahasenack: so i think your dep3 header should not use DP: | 21:41 |
| ahasenack | why? | 21:41 |
| ahasenack | are you referring to the dep3 quote from before? | 21:42 |
| ahasenack | maybe just use the dep3 description prefixed with ## DP:, so that dpatch cat shows it? | 21:42 |
| oraqol | Hello all, having a little trouble 'conjure-up'-ing on fresh default ubuntu 16.04 and getting the following error: lxd not found please install with sudo snap install lxd && lxd init and wait for this message to disappear | 21:48 |
| stokachu | oraqol: did you run `sudo snap install lxd`? | 21:49 |
| oraqol | yes | 21:49 |
| stokachu | ok i got a fix in that adds more information to the error, but you need to make sure to run `/snap/bin/lxd init && /snap/bin/lxc network create lxdbr0 ipv4.address=auto ipv4.nat=true ipv6.address=none ipv6.nat=false` | 21:50 |
| oraqol | getting the following after running those commands: error: Unable to talk to LXD: Get http://unix.socket/1.0: dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied | 21:50 |
| oraqol | but I have been messing with the installation. I'll re-image and try that from scratch | 21:51 |
| stokachu | oraqol: what does `ls -l /var/snap/lxd/common/lxd` show? | 21:51 |
| stokachu | sorry `sudo ls -l /var/snap/lxd/common/lxd` | 21:51 |
| oraqol | drwx------. 2 root root 4096 Sep 18 17:50 cache | 21:52 |
| oraqol | drwx--x--x. 2 root root 4096 Sep 18 17:50 containers | 21:52 |
| oraqol | drwx--x--x. 2 root root 4096 Sep 18 17:50 devices | 21:52 |
| oraqol | drwxr-xr-x. 2 root root 4096 Sep 18 17:50 devlxd | 21:52 |
| oraqol | drwx------. 2 root root 4096 Sep 18 17:50 disks | 21:52 |
| oraqol | drwx------. 2 root root 4096 Sep 18 17:50 images | 21:52 |
| oraqol | drwx------. 2 root root 4096 Sep 18 17:50 logs | 21:52 |
| oraqol | lrwxrwxrwx. 1 root root 24 Sep 18 17:50 lxd.db -> ../../current/lxd/lxd.db | 21:52 |
| oraqol | drwx--x--x. 2 root root 4096 Sep 18 17:50 networks | 21:52 |
| oraqol | drwx------. 2 root root 4096 Sep 18 17:50 security | 21:52 |
| oraqol | -rw-r--r--. 1 root root 1903 Sep 18 17:50 server.crt | 21:52 |
| oraqol | -rw-------. 1 root root 3243 Sep 18 17:50 server.key | 21:52 |
| oraqol | drwx--x--x. 2 root root 4096 Sep 18 17:50 shmounts | 21:52 |
| oraqol | drwx------. 2 root root 4096 Sep 18 17:50 snapshots | 21:52 |
| stokachu | there should be a unix.socket file in there | 21:52 |
| oraqol | I'll reimage and try again later, then update here | 21:53 |
| oraqol | thanks guys | 21:53 |
| stokachu | ok im around just ping me later | 21:54 |
| RoyK | stokachu: next time, tell him to !pastebin it :P | 22:05 |
| stokachu | RoyK: yea sorry about that i should be more careful when i ask for those things | 22:10 |
| {bosco} | ok so i have my apache webserver setup my ( website.com ) links to /var/www/website/public_html/index.html how do i get it to link to /home/user/website/public_html/index.html (ubuntu 17.04) | 22:53 |
| oerheks | {bosco}, we advise againt that, but you can: https://stackoverflow.com/questions/5891802/how-do-i-change-the-root-directory-of-an-apache-server | 23:05 |
| oerheks | change /etc/apache2/sites-available/000-default.conf to you /home/$USER/ etc | 23:05 |
| {bosco} | oerheks: yes but cant u just use symlinks | 23:06 |
| oerheks | {bosco}, that would be an outer solution, but why ? | 23:07 |
| {bosco} | basicly i want the easiest and most secure way when i login to my server as a user to be able to edit the website not as root | 23:07 |
| {bosco} | oerheks: | 23:11 |
| Ussat | easy and most secure dont always go together | 23:15 |
| {bosco} | yes i agree so how do i edit the file /home/user/website/public_html/index.html and have it edit mywebsite | 23:16 |
| {bosco} | do i need to create a symlink to point there i am kinda lost allthough i have read lots of documentation | 23:17 |
| {bosco} | Ussat: | 23:17 |
| Ussat | wht do you mean "edit my website"? | 23:17 |
| Ussat | why not edit your site directly ? | 23:18 |
| nacc | Ussat: i believe they are trying to avoid being root | 23:18 |
| {bosco} | u are correct | 23:18 |
| Ussat | ahh | 23:18 |
| Ussat | why is your website only editable by root ? | 23:19 |
| Ussat | and just use sudo then | 23:19 |
| {bosco} | : Ussat i want to change that i want to be able to have my /home/user/website1/public_html/index.html point to my website.com ? isnt that possible? if so how do i do it \? | 23:20 |
| Ussat | I know what you want to do, a sym link would do that, but why bother ? | 23:21 |
| Ussat | edit the site directly with sudo vi <file> | 23:21 |
| {bosco} | becuase i dont want to use sudo everytime and i have tried symlinks but failed in attemps i dont want to have to put in my sudo password every time i just edit index.html | 23:22 |
| Ussat | Well, other than that, no, you cant | 23:22 |
| Ussat | you said wanted secure, sudo is secure, it asks for a password every time | 23:23 |
| sarnold | or you could follow the advice in https://stackoverflow.com/questions/5891802/how-do-i-change-the-root-directory-of-an-apache-server as oerheks suggested | 23:23 |
| oerheks | add your user to www-data > sudo adduser <username> www-data # https://askubuntu.com/questions/19898/whats-the-simplest-way-to-edit-and-add-files-to-var-www | 23:23 |
| Ussat | ahh I did not see that, I donno if I would do that myself, but its a option | 23:23 |
| {bosco} | i looiked at that documentation and it didnt work right i must be doing something wrong | 23:24 |
| {bosco} | : sarnold | 23:24 |
| oerheks | basicly the 1st thing i do | 23:24 |
| Ussat | srsly, just use sudo | 23:24 |
| {bosco} | it is possible to store website.com/index.html in /home/user/website/pubic_html/ why cant i do that ? sorry with all the different options i am lost | 23:26 |
| oerheks | You *can* store it there, sure... for backup | 23:26 |
| {bosco} | : oerheks how do i use that not as a backup | 23:26 |
| oerheks | {bosco}, change /etc/apache2/sites-available/000-default.conf to that folder | 23:27 |
| oerheks | * and restart apache | 23:28 |
| {bosco} | when i do that it says i do not have permission to view on the server from web browser | 23:28 |
| {bosco} | : oerheks | 23:29 |
| oerheks | are those files and folders in the www-data group? apache wants that. | 23:29 |
| oerheks | ( correct me if i am wrong) | 23:30 |
| {bosco} | i have changed my .conf file to direct or look for my index.html file in my users folder | 23:30 |
| {bosco} | but when i do that i get permssion denied by the web browser | 23:30 |
| Ussat | I need to ask, why are you making these changes ? It sounds like youre making this harder than it needs to be | 23:31 |
| sarnold | {bosco}: you can use namei -l /path/name/here to help find which file or directory needs its permissions or ownership changed | 23:31 |
| {bosco} | it may be harder than doing that i agree but i am not trying to sound rude or anything at all i am great full for any advice but what is the best way to do as a described ? | 23:34 |
| {bosco} | : sarnold | 23:34 |
| {bosco} | i not a | 23:35 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!