Saiweb

For some background you may want to read the Original Story leading to this write up.

The first thing that caught my attention was the fact Logwatch was reported login failures in the order of 1000′s from unassigned.psychz.net without an accompanying fail2ban email notifying me the offender had been banned.

And this as it would turn out was because the attack was clearly intended to defeat such protection methods, this is due to the logged host being unassigned.psychz.net, when the authentication failure is logged, a reverse lookup is made within vsftpd to resolve the host this PTR record returns unassigned.psychz.net, and as such is written into the log.

fail2ban no uses regex to extract the host from the logs, and attempts to make a forward lookup on unassigned.psychz.net (A/CNAME records required) to resolve the ip address, and ban the offending ip, this is where things go awry.

psychz.net maintains their own DNS servers,

1. DNS1.PSYCHZ.NET
2. DNS2.PSYCHZ.NET

These provide a PTR but no A/CNAME record, as such fail2ban can not resolve an IP and the attacking ip is left to run their attack unhindered, see this log file: fail2ban name resolution failure log

The only way therefor to gain the attacking ip was to match the ftp connection times to those of the reported login failures using iptables to log all accesses to ftp, quickly get a count of connecting ip’s using:

A complete log can be found here: iptables.log, and a whois can be found here: whois.txt

Disclosure steps taken:

1. 26/07/10 psychz support informed given deadline of 09/08/10 for resolution
2. Same day standard reply of “thanks for contacting support we are looking into this” …
3. 27/07/0 Attacks continue 173.224.208.0/20 network black holed as a result

   1	iptables -A INPUT -s 173.224.208.0/20 -j DROP

4. 09/08/10 deadline passes without update
5. 25/08/10 this blog post published

Time was when a photo was just a captured moment in time, /end nostalgia

Nowadays though what people do not realize is the shear amount of “extra” information is embedded in “that picture you just uploaded to flikr/facebook/photo bucket” especially if you are uploading from a “smart phone” as more and more people are now.

Most photos now contain GPS data embedded in them, this information will survive a resize / upload process, at the time of writing images tested from Facebook appear to have the exif data stripped out (thumbs up for facebook maybe), and it appears php GD by default replaces all EXIF data with it’s own (bug maybe?).

For non sanitized images however you can discern a wealth of information such as:

1. Make of camera
2. Model of camera
3. Software version
4. Unix timestamp of time taken
5. DateTime stamp of time taken
6. Focal length used
7. Shutter speed
8. if flash used

And if GPS is embedded:

1. Longitude
2. Latitude
3. Altitude
4. GPS timestamp
5. Direction facing when photo taken

There is yet more data such as the colour profile used, and image resolutions, in my tests photos taken from my iPhone 4 were within 10 meters of where I was actually standing when I took the picture, and in which direction I was facing when I took them.

So one more thing to note in your applications “data sanity” is to strip EXIF tags from uploaded images, lest your contributors private details be leaked from your application.

For example:

1. User uploads photo for competition
2. Site uses resized photo on competition page to allow visitor voting
3. malicious user, saves image from site (or just uses the copy from thier browser cache), gets gps data from photo
4. malicious user now knows exact whereabouts photo was taken aswell as the time.

And it doesn’t have to be a malicious user, it could be anyone/anything, if you want to check your images for EXIF data you can use my tool here: http://www.saiweb.co.uk/tools/exif_data.php

No data is stored, and images are deleted immediately after processing, you use this at your own risk however, if you misuse the tool you accept all liability for the legal action to follow, you have been warned.

Most of the time when I review our log watches each morning I become enraged at the number of automated attacks,

But ever so occasional I find one that frankly intrigues me.

Today is just such an occasion where I have had multiple Brute force login attempts, the ingenious part is this attack has been designed to bypass tools such as fail2ban, blockhosts etc, and this is how

1. Attack is launched from
2. has PTR set for
3. Failed login attempts record due to reverse lookup
4. There is no A record, attacker maintains their own nameservers for the
5. fail2ban notes failed logins, attempts to resolve to an IP but fails, due to missing A record
6. Attacker can continue brute force attempts unhindered by being banned

I am still reading into how to counter this and will update this post as I figure out how to work around it, it’s a very sneaky and frankly quiet clever method of working around most automated blacklisting/banning tools.

Update 1:
One method I am trialing is the “log target” feature of iptables, in an attempt to match login failure times to the iptables log, I’ll post back with results.

Outputs

Update 2: Defeating the hack

Now granted this would be a lot worse had the attacking IP been dynamic, fortunatly in this case it’s not

Ip’s have been masked to prevent anyone complaining or threatening legal action (again) for inferring you should block their ip / network range … and me firing off the obligatory “Well if you policed your own network I wouldn’t have to post this no would I” email,

Maybe I am just being Cynical in my “old” age …

Any how as you may have guess I’m black holing the ip with the 390 connection entries.

Thanks

Being as I spoke to a load of people during the course of this I realy can not remember who contributed what to this solution, so I’ll just have to thank you all let me know if you want a crediting link.

Before you read any further note, I will not be including the original hack file, simply due to peoples stupidity in putting this on a production environment to play with, if you use the code you do so at your own risk, and by reading this blog entry / using the code provided you agree to accept all liability upon yourself for your own actions. Don’t be an idiot.

Around 10 days ago I came across this seemingly innocuous little file.

What I am going to cover in this entry is dissecting the ‘payload’ and not so much the web app in question or methods used to compromise it,

Whereas I will not at this time provide the original file, I will provide you with the md5 and sha1 hashes of the file so you can check it’s not lurking on your systems:

md5: 9ee3e6523d154114460d320477a8665a
sha1: 9c64fecea5620d70a716bbd74f6e89612a4a79c7

The bit we are interested in is the last line of the file:

Were you to run this line you would get

Confused yet? now I can appreciate the thinking behind packing a payload to avoid detection, but in this case the payload is packed 12 times, and no before you ask I did not manually run each returned statement to find this out.

Enter Python-Fu:

Copy the first payload lines into a file named payload.raw, take the above code and copy it into a file named dissect.py.

When dissect.py is run you will get the following output:

As such you may want to run it using the following command:

And what you will find after unpacking 12 times in total, the “payload” is the r57shell, this script is an information gathering tool and pseudo shell, meaning it will run any command on the host server that php can, providing in most cases ssh esq access to the exploited host, allowing you to do pretty much anything you wanted at this point, some of the features also include /etc/passwd /etc/shadow dumping, aswell as searching for a tirade of common file *.sql* admin* etc, it’s a one stop script for information gathering on a LAMP/WAMP based host.

Defense: modify php.ini to disable eval(), exec, shell_exec and all none essential functions.

And of course, ensure your web apps are patched and up to date as well as the host they are running on.

Or, as one of my colleagues this morning said, firmware programming which in the literal sense of the word I suppose it is firmware.

I’ve decided as some of my twitter followers may already know to produce a library / framework for the teensy arduino which is available from subversion here: http://svn.saiweb.co.uk/branches/teensy/trunk/ under the GPL v3 license

At the time of writing I have worked through this tutorial on operating an RGB LED.

I’ve taken the examples an reworked them into a re-usable library incorporating a multitude of functions,

Being as I have all the parts to work through the full set of tutorials at pjrc, the library will be first updated to incorporate these examples, once complete I’ll be heading over to the HID programming aspect, and there will be a library for a plethora of “fun” applications

oooooooo SHINY …. I mean erm … yeh … *whistles*

I’ll be taking a look at CUDA over the next few days, first task being to rig it up into OSX and Eclipse CDT, CUDA is Nvidias current push at programming for the GPU, from what I can see it is a vast improvement over the old Cg days (nVidia’s other attempt at a GPU SDK).

This seems farm more popular and has greater support, with the newest nVidia drivers and card being pushed out ‘CUDA’ ready … and when your app therefor can be used on any system running a compatible GPU I’m pretty sure cross platform is not going to be an issue, and then there’s the performance side of things with GPU’s parallel architecture massively out performing CPU’s.

If I have the time I will be getting a could of cuda shell projects out the door, I have a very basic concept for one allready but you’ll just have to wait and see

UPDATE: Despite a quick playing during my lunch I can’t get CUDA example compiling …

Welcome to part one of the ‘zen of secured shared hosting’ series.

In this part I will be covering the concepts of secured shared hosting, and why you as a shared hosting provider should be taking steps to ensure this is how you deploy your hosting environments.

Let’s first take a typical L.A.M.P setup:

PHP Compiled from source as apache module.
mySQL installed from RPM or update package (yum / up2date).
HTTPD installed as RPM or update package (yum / up2date).

Please note at the time of writing if you yum / apt-get / up2date install your PHP package you will have varying results when attempting to compile and install suPHP, as such grab the source code from php.net, and follow this series.

As a shared hosting provider lets say you have 5 clients all hosted from the one server, each client using vsftpd is chrooted() into their home directory, and their ssh access disabled, supposedly secure enough.

Unfortunatly not so, due to the L.A.M.P configuration the ‘apache’ user needs a minimum of read and execute permissions over all the PHP files on the system, why is this a problem?

This is a problem largely due to human nature of the client, your ‘joe bloggs’ client doesn’t care about the technical aspects of web hosting or websites, they just want an easy pretty interface to get their corner of the internet online, downloading something like drupal or joomla.

Now this isn’t a dig at open source CMS, this is an insight into human nature, look at the changelog for any open CMS and you will see ‘security fixes’, unfortunatly all ‘joe bloggs’ cares about is that their website is working, and this is wher things take a turn for the worse.

Joe Bloggs never updates his open CMS platform, meaning any vulnerabilities patched in subsequent releases are still exploitable on his website, worst case scenario that this is an XSSI (Cross Server Script Includes) vulnerbility.

An attacker finds this website and idetifies the security hole, using XSSI to install a PHP interactive shell, giving the attacker SSH like access to the hosting environment, most people at this point think so the attacker has compromise one site … so what we can restore that site from backups and it’s only one site that’s affected, the other 4 users either do not use open CMS or are up to date with all the security patches.

Well that’s where you would be wrong, with the hosting setup outlined above the SSH like PHP shell is now running as the apache user, meaning the attacker can go anywhere and read anything apache can, and with the hosting setup oulined above that mean reading things like datbase connection files, suddenly all the clients on the hosting environment have their websites compromised as the attacker gains mySQL access and starts changing content on thewebsites, despite the fact that the other 4 sites themselves were never exploited.

One clients error just became a cascading exploit on your hosting platform, now make that a more realistic platform say 30 clients on the box, some are online shops, the issue just became a whole lot bigger there is lost revenue due to downtime of the shop sites, and worse still the attacker now has access to any customer details those shops were storing! but it’s not Joe Bloggs that’s accountable it’s YOU as the hosting provider, you can take steps to prevent one exploited site becoming 30, and this web series will tell you host to do it.

coming in part 2:

an introduction to suPHP
compiling php as a cgi binary, and why you need to do so

Getting this email on a regular basis?

“Please find attached a statement of fees as requested, this will be
posted today.

The accommodation is dealt with by another section and I have passed
your request on to them today.

Kind regards.

Hannah ”

Yes it is a virus the attached .doc.exe file seems to vary daily in it’s choice of virus.

So far it has been:

TROJ_AGENT.ANID
TROJ_ZBOT.WB (No page exists for this variant at the moment)
WORM_SYSTEM.AA

All 3 of which were not detected in the most uptodate pattern from trend, having to instead resort to their CPR release (Controlled Pattern), after emailing these samples to their labs (Another unknown variant was received today, and sent to Trend labs).

This brings into question the validity of “Honey pot” accounts to catch these viruses, the only reason I am able to attain these “samples” before they become a problem is due to the fact I have a “Honey pot” email account with a generic often spammed address format for this purpose.

This is making “Honey pots” more of a NEED now instead of an “Über Techies” box of tricks the end user is afraid to go within 30 meters of.

If you run a windows based network I suggest you do some research into how to setup a good honey pot (DO not use an account on your exchnage server that would be REALY stupid), you can also post a comment or use the contact for for advice.

Once setup make it part of your daily routine to test samples as they some in against your anti virus solution, making sure you know how to send samples to the providers labs for analysis.

OK so I’m a little behind here, last friday 22/08/2008, hackers broke into Red Hat.

http://www.pcworld.com/businesscenter/article/150212/hackers_crack_into_red_hat.html

If you run a Red Hat system grab the script from here:

http://www.redhat.com/security/data/openssh-blacklist.html

And check for potentialy compromised packages.

Rarely has an adware / spyware given me cause to chuckle, this little sod sets the desktop background with a nice bright blue and yellow warning shouting “You have a virus” … and places a desktop shortcut to the offending program Antivirus XP 2008.

On top of that in the case I am currently working on it has set the local machines GPO to hide the “Desktop” tab in the desktop properties.

The idea behind this is shock fraud, upon running the program it will tell you the computer is infected with thousands of malware and viruses, which wont show up on any other anti virus product, leaving you with supposedly one option … to PAY for their software …

Yeh like hell …

Fortunately the guys over at bleepingcomputer.com are on top of things, and provide removal instructions for this fraudulent software.

http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

I’ll be intrested to see if their removal tool resets the GPO.

UPDATE: Make sure after installing the malwarebytes’ software that you first run an update before scanning.

As mentioned in the bleeping computer article, if your antvirus let this program in, in the first place it may be worth purchasing the pro version of Malwarebytes’ to get the real time protection (NOTE: The freeware version will remove Antivirus XP 2008 regardless).

You can do this via with of the following links:

Saiweb Affiliate Link

Bleepingcomputer.com Affiliate Link

UPDATE 2: Malwarebytes’ removed Antivirus XP 2008, and restored the “display” tab, under desktop properties.

*** DISCLAIMER ***

As sad as it is, I have to include the following statement:

This information is provided as a self help guide only, by following the instructions provided you do so at your own risk.