I recently (this morning) had a university sever hacked.
This was a root compromise. The box is now disconnected.

This Suse10.1 linux box ran apache2, php5, tomcat_4_something
and java1.5.0_04

We haven't had time to examine the logs....to try and figure out
how this happened. We will. Tomcat4 seems to be the most
out of date, so maybe that was the culprit

This box is behind a firewall that only allows email, ssh, port:80 for
apache
and port:8080 for tomcat. Perhaps (just guessing) they used a
buffer overflow of some sort, related to interactive
forms, that run from both php5/apache and tomcat.

So here's my question:
If this does turn out to be a buffer overflow, how do I avoid this?
All GET and POST processing will need to be examined and run through
some
sort of a "clean" function, to strip out all but alphanum input.
But what about parameter size? Is that important too?

How does that work? Should this proposed new 'cleanInput' function
also truncate input to a maximum parameter size?
Or better yet reject over some threshold size.....

If so how big? ........seems like something that could/should be
controlled
in a config file. But I don't know that answer.

Any informative help would be greatly appreciated.

[ Post a follow-up to this message ]