Saiweb

If you are seeing ‘suPHP::LookupException‘ in your apache error logs, this is due to the suPHP_UserGroup line in your virtualhost config.

This error indicates that the user and/or the group specified in the config does not exist, this can happen if you have typed in either incorrectly, and/or the user has been removed from the system (see /etc/passwd).

Due to the security issues with wordpress pre 2.6.5, I have deleted all registered users.

All the accounts were registered around the same time, and had never been logged in to.

So please re-register if you are a genuine user.

Cheers

Buzz

Welcome to part one of the ‘zen of secured shared hosting’ series.

In this part I will be covering the concepts of secured shared hosting, and why you as a shared hosting provider should be taking steps to ensure this is how you deploy your hosting environments.

Let’s first take a typical L.A.M.P setup:

PHP Compiled from source as apache module.
mySQL installed from RPM or update package (yum / up2date).
HTTPD installed as RPM or update package (yum / up2date).

Please note at the time of writing if you yum / apt-get / up2date install your PHP package you will have varying results when attempting to compile and install suPHP, as such grab the source code from php.net, and follow this series.

As a shared hosting provider lets say you have 5 clients all hosted from the one server, each client using vsftpd is chrooted() into their home directory, and their ssh access disabled, supposedly secure enough.

Unfortunatly not so, due to the L.A.M.P configuration the ‘apache’ user needs a minimum of read and execute permissions over all the PHP files on the system, why is this a problem?

This is a problem largely due to human nature of the client, your ‘joe bloggs’ client doesn’t care about the technical aspects of web hosting or websites, they just want an easy pretty interface to get their corner of the internet online, downloading something like drupal or joomla.

Now this isn’t a dig at open source CMS, this is an insight into human nature, look at the changelog for any open CMS and you will see ’security fixes’, unfortunatly all ‘joe bloggs’ cares about is that their website is working, and this is wher things take a turn for the worse.

Joe Bloggs never updates his open CMS platform, meaning any vulnerabilities patched in subsequent releases are still exploitable on his website, worst case scenario that this is an XSSI (Cross Server Script Includes) vulnerbility.

An attacker finds this website and idetifies the security hole, using XSSI to install a PHP interactive shell, giving the attacker SSH like access to the hosting environment, most people at this point think so the attacker has compromise one site … so what we can restore that site from backups and it’s only one site that’s affected, the other 4 users either do not use open CMS or are up to date with all the security patches.

Well that’s where you would be wrong, with the hosting setup outlined above the SSH like PHP shell is now running as the apache user, meaning the attacker can go anywhere and read anything apache can, and with the hosting setup oulined above that mean reading things like datbase connection files, suddenly all the clients on the hosting environment have their websites compromised as the attacker gains mySQL access and starts changing content on thewebsites, despite the fact that the other 4 sites themselves were never exploited.

One clients error just became a cascading exploit on your hosting platform, now make that a more realistic platform say 30 clients on the box, some are online shops, the issue just became a whole lot bigger there is lost revenue due to downtime of the shop sites, and worse still the attacker now has access to any customer details those shops were storing! but it’s not Joe Bloggs that’s accountable it’s YOU as the hosting provider, you can take steps to prevent one exploited site becoming 30, and this web series will tell you host to do it.

coming in part 2:

an introduction to suPHP
compiling php as a cgi binary, and why you need to do so

Getting this email on a regular basis?

“Please find attached a statement of fees as requested, this will be
posted today.

The accommodation is dealt with by another section and I have passed
your request on to them today.

Kind regards.

Hannah ”

Yes it is a virus the attached .doc.exe file seems to vary daily in it’s choice of virus.

So far it has been:

TROJ_AGENT.ANID
TROJ_ZBOT.WB (No page exists for this variant at the moment)
WORM_SYSTEM.AA

All 3 of which were not detected in the most uptodate pattern from trend, having to instead resort to their CPR release (Controlled Pattern), after emailing these samples to their labs (Another unknown variant was received today, and sent to Trend labs).

This brings into question the validity of “Honey pot” accounts to catch these viruses, the only reason I am able to attain these “samples” before they become a problem is due to the fact I have a “Honey pot” email account with a generic often spammed address format for this purpose.

This is making “Honey pots” more of a NEED now instead of an “Über Techies” box of tricks the end user is afraid to go within 30 meters of.

If you run a windows based network I suggest you do some research into how to setup a good honey pot (DO not use an account on your exchnage server that would be REALY stupid), you can also post a comment or use the contact for for advice.

Once setup make it part of your daily routine to test samples as they some in against your anti virus solution, making sure you know how to send samples to the providers labs for analysis.

Rarely has an adware / spyware given me cause to chuckle, this little sod sets the desktop background with a nice bright blue and yellow warning shouting “You have a virus” … and places a desktop shortcut to the offending program Antivirus XP 2008.

On top of that in the case I am currently working on it has set the local machines GPO to hide the “Desktop” tab in the desktop properties.

The idea behind this is shock fraud, upon running the program it will tell you the computer is infected with thousands of malware and viruses, which wont show up on any other anti virus product, leaving you with supposedly one option … to PAY for their software …

Yeh like hell …

Fortunately the guys over at bleepingcomputer.com are on top of things, and provide removal instructions for this fraudulent software.

http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

I’ll be intrested to see if their removal tool resets the GPO.

UPDATE: Make sure after installing the malwarebytes’ software that you first run an update before scanning.

As mentioned in the bleeping computer article, if your antvirus let this program in, in the first place it may be worth purchasing the pro version of Malwarebytes’ to get the real time protection (NOTE: The freeware version will remove Antivirus XP 2008 regardless).

You can do this via with of the following links:

Saiweb Affiliate Link

Bleepingcomputer.com Affiliate Link

UPDATE 2: Malwarebytes’ removed Antivirus XP 2008, and restored the “display” tab, under desktop properties.

*** DISCLAIMER ***

As sad as it is, I have to include the following statement:

This information is provided as a self help guide only, by following the instructions provided you do so at your own risk.

Trend Micro Page

After all the problems I had with Cryp-TAP-2 (here) I’m going strait for the COMBOFIX option! I’ll update with how I get on.

UPDATE: Everything looks good so far, booted into safe mode, and ran combofix, the system is now rebooting normally, now waiting on the log report.

UPDATE2: Combofix did the job YET again! getting a popup or too still about the system restore volume, from the look of the report this little bugger hooks itself into system processes (explorer.exe svchost.exe)

Chroot’ing a user is always a good idea from a security perspective, but by default it leaves usability lacking.

For example a web development department quite rightly is using individual logins, with each developer able to access each of their site directories, in a non chroot environment.

The downside? the can also browse pretty much the entire server, and each others directories …

So rather than some extensive and long winded chmoding or directories, we need to chroot them and still preserve access to the shared directories …

But how?

In this case the shared resource will be /home/shared

First of all for security and chrooting purposes make the following changes to /etc/vsftpd/vsftpd.conf

Now reload vsftpd: /etc/init.d/vsftpd

Create a test user (in this case buzz):

Remove the user’s shell access (and subsequently sftp/scp) by editing /etc/pass wd (remove the space between pass wd, wordpress is breaking when I try to post it properly)

replace

with

Test the FTP session:

In the example above

is a symlink to

, as can be seen symlinking does not bypass the chroot settings.

What you need to do is use the “bind” option of the mount command (as root or a sudo’er):

NOTE: –bind is double dash bind

Now re-test the ftp session:

The user now is in a chroot’ed environment, but can still access the share resources you specify, by binding them.

FAQ:

Why remove the users SSH / SCP access?

SCP/SFTP at the time of writing has no logging facility, making it next to impossible to find out who uploaded / overwrote a file in the shared resource at any given time.

By forcing FTP all transactions will appear in the xfer log.

There are mods for SCP out there to allow logging, however you can use them at your own risk I do not recommend using them on a customer facing environment.

Why would I want to “chroot” the user?

Change

to

and reload vsftpd, now login to ftp hand try to get out of your home directory,

you will notice you can pretty much browse the entire file system, and depending on the setup write and delete files owned by anyone in the same group as that user.

By chroot’ing the user you are reducing the potential for things to go wrong on your server, as you add more and more users it reduces the “sys admin” time incurred due to user error.

NOTE: Remember to put

back and reload vsftpd!

Disclaimer:

You break it, it’s not my fault!

If you run into problems just leave a comment.

To often I get passed code to review that quite frankly is so full of holes it wouldn’t make an adequate sieve…

So in this quick blog I outline a few simple and easily implemented steps to ensure as you start out in the world of PHP, your first site isn’t hacked within 5 minutes, leaving you a whimpering wrek …

PHP DON’T EXAMPLE 1:

Passing RAW globals to mysql!

i.e.

So what is wrong with the above? SQL INJECTION welcome to a world where people want to break your website, simply because they can …

I am not going to add more description, just click through to the wiki pedia entry linked above …

To avoid this PHP comes with two functions mysql_escape_string() and mysql_real_escape_string()

An example taken from the mysql_real_escape_string() page:

Example#2 An example SQL Injection Attack

The query sent to MySQL:

This would allow anyone to log in without a valid password.

So in summary READ the mysql_real_escape_string() page, and even if you don't implement the "best practice" example on that page PLEASE make sure you at least escape $_SESSION $_GET $_POST inputs with a mysql escape function!