Hosting

Server security and PHP Safe mode

Sameer Alibhai — Fri, 04 Jul 2008 23:27:47 GMT

Last weekend was a bit of a disaster. One of the servers I was maintaining was hacked, big time. How did the (not so nice word) guys do it? Well, first of all, I learned hackers think they are doing good deeds. They did me a favor by hacking my server and by not "deleting all the files". They only defaced some 30 something sites and caused me lots of misery and site cleanup. Why do I say this? Based on the hacker's signatory message - "Owned by nEtDeViL .. Just testing your Security .. Peace ! .. net_devil@.......com"

So Mr. hacker dude, if you really want to just "test" my security, why don't you send me a kind email stating that you found some security holes and how to fix them? That would be a real gem of a good deed :)

Anyway, there is always light at the end of the tunnel, good always comes from bad, if you are patient and learn from your mistakes.

Here is what I learned - TURN ON PHP SAFE MODE! The hacker exploited some old postNuke script in the albums folder uploaded some old Russian hack script called r57shell.php . This script allowed him to install some rootkits which basically log everything you do on the server and all sorts of crap. Which caused me to have to get a new server, yada yada.. :(

Now the first reason they managed to achieve this, is I didn't have php safe mode on. I didn't want to inconvenience my buddies on the server (ya right, dumb move.) So even if they managed to upload it, they can't do much with PHP safe mode on. But with PHP safe mode off, well sorry buddy, even your own pals on the server can use this script to take over the server if you didn't give your friends full rights to run stuff on it and they get mad at you (you know what they say.... keep your friends close and your enemies ....)

Second thing, I went all out and installed Suhosin (grown out of what was known as PHP Hardening Patch). I don't know how much this will help me, but at the least it didn't break anything on the server, so I'm leaving it there for good measure.

There is also Mod_Security for Apache but that's a bit difficult cuz it will slow down your server by checking every single request plus it will break a bunch of scripts so you will have to keep tweaking the regular expressions to get it to work nicely especially if you have tons of apps on the server.

Related reading - Forum Post: Tightening your PHP Security (just a few easy tips on how to tighten your security)

PS.. this server is running Microsoft Windows so don't even bother trying to hack it ;) -- okay don't laugh

20% Extra Security is Enough To Stop Kiddie Hackers

Sameer Alibhai — Mon, 05 May 2008 22:39:30 GMT

Here's a security problem for you.

How do we stop people from using brute force attacks on our logon page?
Well, simple... just add a captcha.

Well, umm.. captcha is already broken. Even if it isn't, they can hire someone overseas to sit there all day and crack away at it.. right ?
Well, umm... fine, so we'll set up this security scanner, and add that vulnerability protector, and automatically ban this and that, and let's do this.. and that, and this, and that, and so on, and so forth, until we have a fortress.

Tell you the truth. Unless your site is heavily targetted, captcha is probably good enough. In fact, my experiences is that you just put in 20% effort and you will stop 80% of the hackers (there's that 80/20 rule again...!). For example, I had a web server that was getting daily hack attempts on the ssh port (port 21). I had done lots of security tightening on it. For example, I disabled root login, I added an automatic email that was sent to me on root logon, and so on... As well I had a software installed that would ban them after a certain number of failed logins, and would send me an email. This software was called BFD (Brute Force Detection). After getting these daily hack attempts, I decided I had enough, and I changed the port to a random value (say 561). Since that day, I haven't received hardly one or two hack attempts. Seems most hackers were the kiddy hackers that didn't really bother to try hard enough. A simple port scan would have revealed my SSH port. However.. by putting in that 20% effort, I got rid of 80% of the losers.

I eventually re-enabled direct root logon, since I realized this simple step was enough.

Now if your site is going to be targetted by hackers, no matter what you do, catpcha or no captcha, IP blocking or not, if they want to get in, they will get in. The best way to stop those hackers is to hire some l33t hackers yourself to try to break their way in and then block it. You will need to do some security audits and close any open holes you might have.

But in the end, the idea is, just put in a little extra security, don't just leave your login page open for brute force attacks, because you never know,....they might have already hacked your site (scary.. isn't it?)

Update - I found a good example of this in action - take a look at this quote from EmailSpoofer.NET:

Your Javascript sucks, I can decode it in 5min, why is it so easy to decode?

All javascript can be decoded. Its a matter of how much time/resources you want to devote to it. However, in this case, the javascript isn't meant to be difficult to be decoded by humans. It's meant to be difficult to be decoded by spambots. That being said, if you see some improvements I could make to the javascript routine, feel free to send them to me. I’d love to incorporate them into the control. However, please don't send me scripts that is someone else's work. Please send your original. Thanks!

Keep in mind that the 20% is always increasing. Hackers get smarter over time, and so you need to keep up with this minimum 20%. Take a look at how I was hacked in Server Security and PHP Safe mode

70GB of Files Uploaded Because of a Trojan Virus

Sameer Alibhai, Ashiq Alibhai — Wed, 18 Jul 2007 03:16:03 GMT

The name 'trojan' came from a historical concept known as a 'Trojan Horse'. It was actually a giant wooden horse that was given as a gift to some town or castle, but in reality it was not a gift but had soldiers inside it who jumped out and attacked and ramsacked the town or castle. This word has now come to mean a program that gets inside and attacks your computer! It could be an innocent looking software that you install that has this on it.

Recently I was dealing with a server that was compromised by the Trojan Wollf Virus...

According to Symantec, "Backdoor.Wollf.16 is a Backdoor Trojan Horse that installs itself as a server and allows unauthorized access to an infected computer.."

According to Sophos, it:

Allows others to access the computer
Steals information
Downloads code from the internet
Records keystrokes
Installs itself in the Registry

Now.. the hacker who gained access to the serve,r he managed to upload some 70GB of personal files - apps, warez, mp3s, illegally copied movies, etc on this server

Take a look for yourself! Backdoor uploaded files (331kb)

Here is a snippet:

Directory of C:\System Volume Information\catalog.wci\bin\DVDR

06/03/2007 10:54 AM    <DIR>          .
06/03/2007 10:54 AM    <DIR>          ..
05/26/2007 10:01 AM    <DIR>          Borat.2006.PAL.MULTISUBS.DVDR-RUSH
06/03/2007 03:40 AM    <DIR>          FaTz
06/03/2007 01:25 PM    <DIR>          Heroes.S01.INTERNAL.HDTV.XviD-SCT
05/26/2007 01:56 PM    <DIR>          Smokin.Aces.PAL.NORDIC.DVDR-RUSH
05/26/2007 11:22 AM    <DIR>          The.Fountain.2006.PAL.PROPER.MULTISUBS.DVDR-SSB
               0 File(s)              0 bytes

I created this list from command prompt by typing "dir /s > output.txt"

These were uploaded to a dedicated windows machine that had its Windows Update set to "automatically download but let me choose when to install"

I cleaned it up with the following steps:

Never turn off Automatic Windows update unless you are going to watch it like a Hawk
If you are infected with a trojan, check your hard disk for large files as you may have been used as a file server
Install Microsoft Defender
Install Spybot Search & Destroy
Install Lavasoft Adaware
Install ClamWin (will only search) or AVG antivirus (AVG cannot be used for free on servers though)
Download Mcafee Stinger, a free tool to clean viruses from your machine
Run Microsoft Malicious Software Removal Tool
Make sure your Windows Firewall is enabled, or better yet, get ZoneAlarm or some other software firewall

Any comments?

Sql Injections and Securing Clipshare Vulnerabilities

Sameer Alibhai — Mon, 02 Jul 2007 20:07:24 GMT

Tags: Clipshare, PHPNuke, SQL Injection, SQL Injection Vulnerability

Just last week I was informed that two Clipshare (Youtube clone) sites were hacked. The culprit was a SQL injection vulnerability in the code. This article will explain a creative way of securing your site without really fixing the underlying code.

What is a SQL Injection and how do you fix it?

It means that the code was executing code that looked like this:

ExecuteSQL("Select salary from employees where ID = $_GET['id']");

Where $_GET['id'] means the querystring parameter ID which is passed in as follows:

http://www.yoursite.com/index.php?id=5

However, because we are not "sanitizing" the data before sending it to the sql server, someone can load the URL:

http://www.yoursite.com/index.php?id=5 OR 1=1 (or http encoded as http://www.yoursite.com/index.php?id=5%20OR%201=1
What that means is the SQL statement that will be executed is

ExecuteSQL("Select salary from employees where ID = 5 OR 1=1");

When you say that to the database, return salaries for employees if 1=1 (which is always), thus it will return all records for all employees

Even worse can be done, such as when you are checking a login and password, we had a live site that executed the following SQL and checked if the user and password was correct if a record was returned:

string sql = 'select * from users where login = ' + login + ' and password = ' + password; (C#)

you could put the login as "admin --" and anything for the password, and the password part was commented out and it would load the following:

select * from users where login = admin -- and password = asidasdsad

the -- indicates that the rest is a comment and should be ignored by the SQL server, thus it will only execute:

select * from users where login = admin

Now the ClipShare software is full of these vulnerabilities. To fix them (in PHP), you have to call mysql_real_escape_string() on your querystring and form post variables.

So if we have

ExecuteSQL("Select salary from employees where ID = $_GET['id']");

you can change this to:

ExecuteSQL("Select salary from employees where ID = ' + mysql_real_escape_string($_GET['id']));

If you want to fix it, you can try to see if there is an upgrade that resolves these problems. If you have heavily modified the script, or you cannot upgrade, this might not be an option.
You can try to fix it yourself, but I looked like every single page was vulnerable.

How to fix your Clipshare software the easy way!

There is another solution that is stronger. This is not the 100% foolproof solution, but it is an easy way to fix it without having to fix your entire bad codeset. What you can do is change the actual database table name from 'adminusers' which everyone knows, to something like 'purpleadmins'. It doesn't fix the underlying problem (the door is still wide open), but the wallet is hidden somewhere else in the house and nobody can find it, even if they can get in.

Here is how you can do it.
It's been about a year and this method has worked extremely well and my vulnerable PHP Nuke installation (version 7.1) has not been hacked again yet!
This also worked on two clipshare installations.

First you have to execute some SQL code to change the table name.

1) Rename your column (MySQL code)

ALTER TABLE oldAdminTableName RENAME newAdminTableName;

2) Then you have to execute a search and replace on the actual PHP code.
This will only work if you have the full source code (Some applications such as whois.cart are encoded and you cannot see the source code). To replace in files you can run the following Linux command:

perl -e "s/SEARCH/REPLACE/g;" -pi.save $(find ./*.php -type f)

3) To verify that it actually worked, search for files (linux again)

find . -name "*.c" -exec grep -i "find me" {} /dev/null \;

References:

Unix find and replace text within all files within a directory (forum)
Greg Hinkel's UNIX Tip of the Week

Delete Spam from Exim Queue

Sameer Alibhai, Ashiq Alibhai — Tue, 05 Jun 2007 12:49:20 GMT

Spam is a major cause of headache for many people in the world. Especially server administrators.

Here is a tip to clean up your exim mail queue if its getting to large and full of spam.

Please keep in mind that some legitimate emails may get deleted by this method. Please use it carefully. I had more than 2000 emails in my queue, and it was reduced to about 50 after running a few of these.

First, run

grep -R -l [SPAM] /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

The highlighted word will be used in a grep search and replace and all messages matching that will be deleted. If you also want to remove frozen messages from your queue, run the following

grep -R -l '*** Frozen' /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

You can perform one more that will also clean your exim queue some more

grep -R -l 'The recipient cannot be verified' /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

Second tip - if you are using CPanel, set up your mails to default to :fail: rather than :blackhole:

References:

Thank you to Khalid for his regular expression on his blog post Deleting Emails in Exim

Successful Server Migration using the HOSTS file

Sameer Alibhai, Ashiq Alibhai — Tue, 29 May 2007 14:17:49 GMT

When migrating your site from one server to another there are many factors involved in having a successful and transparent migration with no down time.

One of the tricks you can use to test your site after you have moved servers is to edit your Windows HOSTS file in order to 'trick' your machine into thinking that your site is actually somewhere else, even before updating the nameservers.

For example, you have your live site - sharpdeveloper.net on a server with IP address 72.52.15.51, but you are moving it to another server now because you have outgrown your original server.

Say you already have uploaded the files to the new server and as well populated your mySql or Sql Server databases.

Now, before updating the A record on the nameservers, you can update your local machine to point to the new server, say 81.51.11.51 by editing the file C:\WINDOWS\system32\drivers\etc\HOSTS (its a simple text file, you can use notepad to edit it)

Simply add one line

81.51.11.51 sharpdeveloper.net

that way your local machine will know the new IP address and you can make sure the site is working perfectly before updating the nameservers to point to the new address.

Questions?