View Full Version : Xserve upgrade to 10.4.10 incomplete

08-15-2007, 07:01 PM
Running a Xserve dual 1 Ghz with 10.3.9 with latest Apple Security updater 2007-07 installed. This Development server is a clone of a Production server which hosts websites, one which requires PHP and mySQL for database.

Was asked to upgrade to Tiger by IT security because of recent hacking attempt: hacker placed this code in my Production and Development server Access logs...a trap they said. :mad: BEWARE--DO NOT CLICK ON THE LINK (hacker.org) BECAUSE IT WILL ADD YOUR COMPUTER INFO TO THEIR LIST OF POSSIBLE PROXY HOSTS:weeskull: - - [13/Aug/2007:00:51:15 -0700] "GET (Took out http) //hacker.org.ru/prxjdg.php HTTP/1.1" 401 482

My IT group told me this:

" Your site has old version of PHP, which can cause a denial of attack if a specific characters are typed in the authentication screen, this in turn or in combination with info on your system can elevate a "null" user to admin rights. Please upgrade the PHP to version 5.2.0 or greater. Also Upgrade the Apache to the very latest. Now that the hacker knows your IP he/she will try until access is granted, so please make sure you do the upgrades to all servers and soon"

But our developer who built out the database said NOT to install PHP 5.2 because it is untested and some database calls would need to be recoded. He said security was supported on PHP 4.4 thru 8-2008 and that it was doubtful that a simple upgrade to PHP would fix problem IF I WAS vulnerable.

To comply at least with Apache upgrade requests, I ran Tiger installer CDs to upgrade to 10.4, then ran Combo Updater 10.4.10. on the Development box to test it out.

PHP and mySQL failed to upgrade, and my firewall settings disappeared.

Manually re-set firewall, although there is NO dropdown for selecting standard Settings--seems to have disappeared!

Now having developer drop in missing pieces of PHP to see if they can get it to run, as well as running Terminal on mySQL to get it started.

Since this was a test on a Development server, I am now wondering best way to upgrade the Production server.

I hate the idea of a Clean Install because I have to manually set it up all over again.
Is this the best way to go???

And, do I have to worry about this hacking incident since I am not going to install PHP 5.2? Will the version loaded with 10.4.10 be secure enough?

08-16-2007, 01:42 AM
There is nothing worse than having the choice of being secure - or - operational. Drives me to drink sometimes.

A couple questions and general thoughts:

How secure is the network? You mention setting up the firewall on the server...is there a robust firewall upstream at the router? The IT guys should be all over this.

Sounds like your DB guy needs to catch up....if (and that is "if") older versions are not secure, what other choice do you have but to update?

If it were me, I would do the clean install and config of 10.4, even though it is a pain. I have not taken any of our servers to 10.4.10. Stopped at 10.4.9 because of various reported issues with 10.4.10, but often Apple will only support the most recent OS version with security patches....see gripe above. 10.4.11 is in beta right now.

Do you have every service shut down but what you need running on this box?

You can update Apache and PHP, regardless of what version Apple loads. Tools like MAMP (http://mamp.info/en/mamp.html) make it pretty easy too.

There are lots of tools out there that may help you monitor and protect your server. Mac Orchard (http://www.macorchard.com/network/) has a nice list of network tools....you might look at Flying Buttress, Door Stop, Hen Wen, and Sun Shield (other goodies too) for help with your firewall config and traffic monitoring.

Is locking (http://www.digicowsoftware.com/detail?_app=Weblock) some directories an option?

There are some smart folks here, lets see what others have to add.

08-16-2007, 03:07 AM
Universities warned of Storm Worm attacks (http://www.securityfocus.com/news/11482/1)
Robert Lemos, SecurityFocus 2007-08-15

Colleges and universities have come under attack by Storm Worm botnets following attempts to detect infections through vulnerability scanning, a response center for academic networks stated last week.
<!------ OAS AD 'x30' begin ------> <script language="JavaScript"> <!-- OAS_AD('x30'); //--> </script> <noscript> http://adserver.securityfocus.com/RealMedia/ads/adstream_nx.cgi/www.securityfocus.com/news@x30 (http://adserver.securityfocus.com/RealMedia/ads/click_nx.cgi/www.securityfocus.com/news@x30) </noscript> <!------ OAS AD 'x30' end ------>
“ We did pressure the parties involved in this situation to allow us to share quickly, because starting very soon, there will be millions of students returning to campuses with computers that have been connected to who-knows-where, and might be infected with who-knows-what. ”

- Mark Bruhn, executive director, Research and Education Networking Information Sharing and Analysis Center (REN-ISAC)

The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC (http://www.ren-isac.net/)) sent out the warning (http://lists.sans.org/pipermail/unisog/2007-August/027405.html) last Thursday following “numerous incidents" and advised school information-technology managers to respond quickly to any infection on their networks. The Storm Worm's distributed denial-of-service (DDoS) attacks appear to strike back at the network of any computer that scans an infected system, REN-ISAC officials said in the advisory.

"The attacks have been ICMP (Internet Message Control Protocol), can last more than a day, involve a large number of sources scattered globally, and can yield very significant attack traffic," the advisory warned. "With the impending return of students for fall classes, the DDoS-the-scanner-when-scanned behavior represents a significant risk for the EDU sector."

It is nasty out there.

How much can a good hardware firewall do? I know there were some in the Security FAQ listed that provide robust network intrusion detection.

I run just a home computer but behind two routers locking down inbound and outbound services I don't want or need (about 2 dozen rules), plus SNORT and NIDS and proxy server.

Any chance of running a linux system as firewall? people still do that, right? Make it possible to run what you need on the Xserve and still have what you need on another box.

Intel Xserves can run VMs. VMware has some server application just for the data center user. And run an OS you need. Rather than one OS trying to do everything.

08-16-2007, 03:32 AM

there are still some bugs or potentional flaws in PHP because Apple is still not using the newest versions in 10.4.10 (I am not sure but 10.4.10 has version 4.4.7 of PHP buildin) 5.2.3 is the latest :(

Since PHP 5.1.4, PHP needs Tiger so also 5.2.3 is running on 10.4.x only. Here you find a install howto and there are also the download links to the self containing OSX images:



08-16-2007, 11:32 AM
Do you have every service shut down but what you need running on this box?

I have one port open to "any" in the firewall: port 80. Everything else is denied. My local network IP range has access to services like AFP, timbuktu, server admin, etc, but there is no e-mail, FTP, LDAP or anything else running on this box. Strictly a web server.

How secure is the network? You mention setting up the firewall on the server...is there a robust firewall upstream at the router? The IT guys should be all over this.

That's a good question. I am not on the company's network, per se, because I run a few Mac servers and they're PC. I am on an extranet DSL which is maintained by Telecom which i really have always ASSUMED was behind a firewalled router since lots of others in the company are on it too...checking on it. (In other words, IT is NOT all over it because I am somewhat an outlaw and regarded a bit suspiciously).

As for MacOrchard--I will surely look into these firewall security apps and see what might work best.

My db guy is having me update PHP using terminal and cut/paste code.
This is what he sent:

It looks like we do have to recompile PHP in order to install the graphics libraries. But, the good news is that it's really easy (just a lot of copy/pasting). And, when's all done, you'll have the most recent PHP with GD and graphics libraries and a structure to support future releases of PHP (including version 5).*

I have attached 2 PDF documents which describe the process. I just tried it on a fresh OSX 10.4.10 server and all worked well.

Here are a few additions:

1. Make sure you're logged into a terminal window as root
2. check that gcc is installed (type gcc -v)
3. If it isn't, installed XCode*
4. mkdir /SourceCache
5. mkdir /usr/local/man
6. cd /SourceCache
7. Continue with the installation starting on page 4 of the "Installing_GD2..." PDF (after the "cd /SourceCache" line)
(be careful about the carriage returns in the PDF file, you probably need to copy/paste separately so all fits on one line
in the terminal window)
8. Now, run the installation in the "Updating_PHP..." PDF starting on Page 4.
When you get the "./configure ..." line, use the configure line from Page 6 (with GD) . You can also copy/paste from my text file attached (I just removed the carriage returns).*

Wonder if MAMP a BETTER way to go?

I will (gulp) plan a clean install on the production server next week as soon as all this PHP stuff is working.

(Unless there is some way to image the Dev server and then change settings, IP, serial number of server software after install on Prod. box...is that totally crazy?)

AS always, thanks again for all the good support.

08-16-2007, 02:35 PM
Not being an Apache or PHP guru, nor a command line jockey, MAMP looks tempting to me. But have not used it, so I can't suggest that you should. Since you have a test box available, I would give it a whirl in test mode, since it claims to be easy as pie to uninstall should it not be what you need.

If you are going to be a on a separate internet connection for the foreseeable future, you really need to get a robust perimeter firewall going. If the ISP provides a router, you could start with that, or get something a little better.

Good to see other ports and services are locked down. As this appears to be an Apache and/or PHP attack on public web servers through port 80, you have little choice that I can see other than to be up-to-date on the services that the public can access to minimize your exposure, and plug all (known) holes, right?

As for cloning a config'd OS, heck yes!! SuperDuper (1st choice) and CarbonCopyCloner have both worked fine for me with Server up to about 10.4.8 (last clone I made). Get the test box tweaked and running great, everything up-to-date and just the way you like, and clone it. All you should have to change (assuming similar hardware between the test and production boxes) would be the IP and Server serial number. Don't forget to use the command line tool changeIP when you......change your IP on Server. The GUI in sys pref panes does not update everything system wide to catch all the services. If you need info, it covered pretty well in the Server manual.