Archive for the “hacking” Category
Welcome to part one of the ‘zen of secured shared hosting’ series.
In this part I will be covering the concepts of secured shared hosting, and why you as a shared hosting provider should be taking steps to ensure this is how you deploy your hosting environments.
Let’s first take a typical L.A.M.P setup:
PHP Compiled from source as apache module.
mySQL installed from RPM or update package (yum / up2date).
HTTPD installed as RPM or update package (yum / up2date).
Please note at the time of writing if you yum / apt-get / up2date install your PHP package you will have varying results when attempting to compile and install suPHP, as such grab the source code from php.net, and follow this series.
As a shared hosting provider lets say you have 5 clients all hosted from the one server, each client using vsftpd is chrooted() into their home directory, and their ssh access disabled, supposedly secure enough.
Unfortunatly not so, due to the L.A.M.P configuration the ‘apache’ user needs a minimum of read and execute permissions over all the PHP files on the system, why is this a problem?
This is a problem largely due to human nature of the client, your ‘joe bloggs’ client doesn’t care about the technical aspects of web hosting or websites, they just want an easy pretty interface to get their corner of the internet online, downloading something like drupal or joomla.
Now this isn’t a dig at open source CMS, this is an insight into human nature, look at the changelog for any open CMS and you will see ’security fixes’, unfortunatly all ‘joe bloggs’ cares about is that their website is working, and this is wher things take a turn for the worse.
Joe Bloggs never updates his open CMS platform, meaning any vulnerabilities patched in subsequent releases are still exploitable on his website, worst case scenario that this is an XSSI (Cross Server Script Includes) vulnerbility.
An attacker finds this website and idetifies the security hole, using XSSI to install a PHP interactive shell, giving the attacker SSH like access to the hosting environment, most people at this point think so the attacker has compromise one site … so what we can restore that site from backups and it’s only one site that’s affected, the other 4 users either do not use open CMS or are up to date with all the security patches.
Well that’s where you would be wrong, with the hosting setup outlined above the SSH like PHP shell is now running as the apache user, meaning the attacker can go anywhere and read anything apache can, and with the hosting setup oulined above that mean reading things like datbase connection files, suddenly all the clients on the hosting environment have their websites compromised as the attacker gains mySQL access and starts changing content on thewebsites, despite the fact that the other 4 sites themselves were never exploited.
One clients error just became a cascading exploit on your hosting platform, now make that a more realistic platform say 30 clients on the box, some are online shops, the issue just became a whole lot bigger there is lost revenue due to downtime of the shop sites, and worse still the attacker now has access to any customer details those shops were storing! but it’s not Joe Bloggs that’s accountable it’s YOU as the hosting provider, you can take steps to prevent one exploited site becoming 30, and this web series will tell you host to do it.
coming in part 2:
an introduction to suPHP
compiling php as a cgi binary, and why you need to do so
 No Comments »
Getting this email on a regular basis?
“Please find attached a statement of fees as requested, this will be
posted today.
The accommodation is dealt with by another section and I have passed
your request on to them today.
Kind regards.
Hannah ”
Yes it is a virus the attached .doc.exe file seems to vary daily in it’s choice of virus.
So far it has been:
TROJ_AGENT.ANID
TROJ_ZBOT.WB (No page exists for this variant at the moment)
WORM_SYSTEM.AA
All 3 of which were not detected in the most uptodate pattern from trend, having to instead resort to their CPR release (Controlled Pattern), after emailing these samples to their labs (Another unknown variant was received today, and sent to Trend labs).
This brings into question the validity of “Honey pot” accounts to catch these viruses, the only reason I am able to attain these “samples” before they become a problem is due to the fact I have a “Honey pot” email account with a generic often spammed address format for this purpose.
This is making “Honey pots” more of a NEED now instead of an “Über Techies” box of tricks the end user is afraid to go within 30 meters of.
If you run a windows based network I suggest you do some research into how to setup a good honey pot (DO not use an account on your exchnage server that would be REALY stupid), you can also post a comment or use the contact for for advice.
Once setup make it part of your daily routine to test samples as they some in against your anti virus solution, making sure you know how to send samples to the providers labs for analysis.
No Comments »
Posted by: Buzz in Linux, hacking, tags: Red Hat
OK so I’m a little behind here, last friday 22/08/2008, hackers broke into Red Hat.
http://www.pcworld.com/businesscenter/article/150212/hackers_crack_into_red_hat.html
If you run a Red Hat system grab the script from here:
http://www.redhat.com/security/data/openssh-blacklist.html
And check for potentialy compromised packages.
No Comments »
Rarely has an adware / spyware given me cause to chuckle, this little sod sets the desktop background with a nice bright blue and yellow warning shouting “You have a virus” … and places a desktop shortcut to the offending program Antivirus XP 2008.
On top of that in the case I am currently working on it has set the local machines GPO to hide the “Desktop” tab in the desktop properties.
The idea behind this is shock fraud, upon running the program it will tell you the computer is infected with thousands of malware and viruses, which wont show up on any other anti virus product, leaving you with supposedly one option … to PAY for their software …
Yeh like hell …
Fortunately the guys over at bleepingcomputer.com are on top of things, and provide removal instructions for this fraudulent software.
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008
I’ll be intrested to see if their removal tool resets the GPO.
UPDATE: Make sure after installing the malwarebytes’ software that you first run an update before scanning.
As mentioned in the bleeping computer article, if your antvirus let this program in, in the first place it may be worth purchasing the pro version of Malwarebytes’ to get the real time protection (NOTE: The freeware version will remove Antivirus XP 2008 regardless).
You can do this via with of the following links:
Saiweb Affiliate Link
Bleepingcomputer.com Affiliate Link
UPDATE 2: Malwarebytes’ removed Antivirus XP 2008, and restored the “display” tab, under desktop properties.
*** DISCLAIMER ***
As sad as it is, I have to include the following statement:
This information is provided as a self help guide only, by following the instructions provided you do so at your own risk.
No Comments »
Posted by: Buzz in hacking, mySQL, tags: mySQL
The downside of a development server is … it’s for development.
It is not always cost effective to have the exact same setup as you you have in your production environment …
Especially if you have a multi server setup.
So I find myself today moving /var/lib/mysql … being as the OS drive is very small, and pulling down a near 20GB database backup and then trying to rebuild the database on the same drive … well as you can imagine caused a few problems *doh*
/etc/init.d/mysql stop
mv /var/lib/mysql /raid_5/
So surely you just symlink … right?
ln -s /raid_5/mysql /var/lib/mysql
/etc/init.d/mysql start
Well then answer would be no … upon importing the backup
mysql < backup.sql
Can't create table './database/table.frm' (errno: 121)
A nice errorno: 121
/etc/init.d/mysql stop
rm -rf /var/lib/mysql
mkdir /var/lib/mysql
chown mysql:mysql /var/lib/mysql
mount --bind /raid_5/mysql /var/lib/mysql
/etc/init.d/mysql start
et voila …
Data directory is relocated and the import working smoothly. Feel free to suggest any “cleaner” methods.
No Comments »
Posted by: Buzz in hacking, php, tags: php, portscan
This is another _old_ proof of concept I had several years ago, you can infact use PHP to scan ports, bare in mind the legality of this is still somewhat _hazy_ therefore if you must portscan I recomend you only do so on Systems you operate.
Disclaimer: This tutorial is provided for informational purposes only.
-
-
<?PHP
-
/**
-
* Proof of concept class for port scanning in PHP
-
* @author David Busby
-
*
-
* The MIT License
-
*
-
* Copyright (c) 2005-2008 David Busby
-
*
-
* Permission is hereby granted, free of charge, to any person obtaining a copy
-
* of this software and associated documentation files (the "Software"), to deal
-
* in the Software without restriction, including without limitation the rights
-
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-
* copies of the Software, and to permit persons to whom the Software is
-
* furnished to do so, subject to the following conditions:
-
*
-
* The above copyright notice and this permission notice shall be included in
-
* all copies or substantial portions of the Software.
-
*
-
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-
* THE SOFTWARE.
-
*/
-
class port_scan
-
{
-
private $result_stack = array();
-
private $out = ”;
-
-
public function __construct($tgt = ‘127.0.0.1′, $protocol = ‘tcp’, $start_port = 80, $end_port = 90) {
-
-
$str = ‘—– PORT SCAN ‘.(($end_port - $start_port) + 1).‘ ‘
-
. strtoupper($protocol). ‘ PORT’. (((($start_port - $end_port) + 1) > 1 )? ‘S’ : ”)
-
. ‘ —–’;
-
$this->push_result_stack($str);
-
$str = ‘HOST: ‘.$tgt;
-
$this->push_result_stack($str);
-
$str = ‘DATE: ‘. date(‘r’);
-
$this->push_result_stack($str);
-
$this->run_scan($tgt, $protocol, $start_port, $end_port);
-
$this->output_results();
-
-
}
-
-
private function run_scan($tgt, $protocol, $start_port, $end_port) {
-
-
switch($protocol) {
-
case ‘tcp’:
-
$host = ‘tcp://’;
-
break;
-
case ‘udp’:
-
$host = ‘udp://’;
-
break;
-
default:
-
$host = ‘tcp://’;
-
break;
-
}
-
-
if($start_port != $end_port) {
-
while($start_port <= $end_port) {
-
//using @ to suppress error on can not connect
-
@ $fp = fsockopen($host, $start_port, $errno, $errstr, 0.5);
-
$this->record_result($start_port, $fp);
-
$start_port++;
-
}
-
} else {
-
//using @ to suppress error on can not connect
-
@ $fp = fsockopen($host, $start_port, $errno, $errstr, 0.5);
-
$this->record_result($start_port, $fp);
-
}
-
}
-
-
private function record_result($port, $open = false) {
-
$res = ”;
-
switch($open) {
-
case true:
-
$res = ‘OPEN’;
-
break;
-
case false:
-
$res = ‘CLOSED’;
-
break;
-
}
-
$this->push_result_stack(‘PORT ‘.$port.‘ ‘.$res);
-
}
-
-
private function push_result_stack($str) {
-
-
}
-
-
private function output_results() {
-
-
foreach($this->result_stack as $key => $data) {
-
$this->out .= $data."\n";
-
}
-
-
}
-
}
-
-
$scan = new port_scan();
-
-
?>
-
Sample output:
----- PORT SCAN 11 TCP PORTS -----
HOST: 127.0.0.1
DATE: Thu, 19 Jun 2008 08:43:13 +0100
PORT 80 OPEN
PORT 81 CLOSED
PORT 82 CLOSED
PORT 83 CLOSED
PORT 84 CLOSED
PORT 85 CLOSED
PORT 86 CLOSED
PORT 87 CLOSED
PORT 88 CLOSED
PORT 89 CLOSED
PORT 90 CLOSED
PORT 87 CLOSED
PORT 88 CLOSED
PORT 89 CLOSED
PORT 90 CLOSED
NOTE: The current timeout is 0.5s per socket meaning you have a potential runtime of (($endport - $start_port) * 0.5) seconds. Make sure this does not excced your max execution time, or in the construct add:
-
-
$time = (($endport - $start_port) * 0.5) + 5;
-
-
This will increased the max execution time with a 5 second buffer.
Please also note in most cases of “shared” hosting you will not be able to crate socketed connections, they will either be blocked by the hosting providers firewall, or disabled at the php runtime, therfor not giving an accurate result.
Again please note this is a proof of concept, you may freely distribute the code under the MIT licence
No Comments »
So the 3g iPhone is out, and a _lot_ of 1st gen iPhone people are looking to grab this new phone as a replacement due to the new features, 3g, gps etc …
That leaves a _LOT_ of 1st gen iPhones that potentially are going to end up on your local dump (landfill) …
Further to the “Green Giant” beowulf cluster project, with the 1st gen iPhone having been cracked open for homebrew multiple times (Hackaday search for Iphone), why not try to re-cycle the 1st gen iPhones into this project as cluster nodes?
I am now looking at places like freecycle to see if I can get hold of any 1st gen’s to do development on … time will tell
But one of the features I have planned should I be able to get hold of a 1st gen or two is using the accelerometer to control the nodes online / offline status …
Anyway all concept and dreams unless one appears.
UPDATE: Please Digg This Entry, Stumble This Entry
2 Comments »
So I finally got a response …
“Hello,
Thanks for asking about shipping. All shipping and handling costs are per item and as advertised on eBay. We don’t negotiate on shipping at all. Please refer to the shipping costs per item mentioned clearly at the bottom of all eBay item. Insurance per item is also not negotiable but is optional. Please note that shipping consists of various things such as packaging, handling, insurance, bar-coding, automation and 3rd party services from the Insurance co. and electronic postage processing with includes postage and automatic notification.“
Somehow I realy do not see that I am going to get £16 worth of postage from £3.96 worth of items …
Beware the eBay small print, I am quite annoyed on this realy didn’t expect this from a UK seller.
1 Comment »
So I got my “adjusted” postage … the seller has increased the
combined postage to £64 and then applied a £48 discount, yeh you
guessed it resulting in the same £16 (£4 per card) postage cost …
I’ve
seen some blatant attempts to con people before, but just … wow …
I’m giving the selling on ebay time to correct this … otherwise I’m
going to name and shame.
No Comments »
|
Entries (RSS)