 |
Puppy Linux Discussion Forum Puppy HOME page : puppylinux.com "THE" alternative forum : puppylinux.info
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in|
The time now is Mon 09 Dec 2013, 09:54 All times are UTC - 4 |
 Forum index » Taking the Puppy out for a walk » Announcements |
|
Serious security breach on Developer Blog
Moderators: Flash, Ian, JohnMurga |
 
|
View previous topic :: View next topic |
| Page 1 of 9 [121 Posts] | Goto page: 1, 2, 3, ..., 7, 8, 9 Next |
| Author | Message | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
BarryK
Puppy Master  Joined: 09 May 2005 Posts: 6900 Location: Perth, Western Australia |
I went to my blog this morning and got redirected to another site. My PC became very busy, mouse response extremely slow. I managed to kill SeaMonkey. I FTP'd to my site and found that two files, blog/index.php and blog/wp-blog-header.php have been modified. I have restored the originals. The big question is, how could someone do that? I have raised a ticket with servage and asked them that question. Note, I've turned off comments on my blog, but there were no suspicious comments anyway. _________________ http://bkhome.org/news/ |
|||||||||||||||
|
||||||||||||||||
 |
||||||||||||||||
veronicathecow
 Joined: 21 Oct 2006 Posts: 529 |
Hi Barry sorry to hear of this problem. My first thought is "Any chance" that your machine has been compromised" Secondly was, perhaps it's time to see if there is need to tighten up Puppy security? (It may have been on the server from their side but it looks as though it was making a good stab at taking over your PC.) Perhaps now things like the Asus eeePC are getting sold in volume and firfox is becoming more powerful that the forces of darkness will be taking an interest a deeper interest in opensource Cheers Tony |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
John Doe
Joined: 01 Aug 2005 Posts: 1689 Location: Michigan, US |
I just PM'd this to Barry, before I noticed the thread here. You're all welcome to read it. Regarding the page change: Wordpress 2.3 Cross Domain Content Insertion- New vulnerability + exploit - xssworm.com http://seclists.org/fulldisclosure/2007/Nov/0336.html Regarding the one comment that go through the other day I had signed up to post what follows this link. In the mean time I did some further research and found it was probably SQL injection. Wordpress 2.3.1 Charset SQL Injection Vulnerability http://blogsecurity.net/wordpress/wordpress-231-charset-sql-injection-vulnerability/ --- Your security implementation is probably adequate. There are three methods which could be used to create such spam that came to mind when I read your post. 1-an exploit in the WordPress code to bypass the security layers. If you examine your http logs for the request that created the comment it might tell you if this was the method used. Also it would allow you to notify the WordPress creators so they could fix the problem. You could gather, at a minimum, the page that was used to implement the exploit. If a 'get' post was used, you might be able to further identify the query string which would help the coders diagnose the problem faster. 2-a server level database permission issue that allowed another user or site on the same server to insert an entry directly to your database. This would be impractical for spammers, as they would have to pay for accounts on lots of servers and hope a majority or the admins had a weak understanding of security. 3-an sql injection vulnerability in the registration form, the login form or the search form. the login form and search form queries shouldn't use a user that has insert permissions anyway, so maybe the registration form. this would depend on what permissions to which tables the user account that it queried as were given. if that user doesn't have permission to insert to the comment table in the database, it's not this. |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
MU
 Joined: 24 Aug 2005 Posts: 13642 Location: Karlsruhe, Germany |
I had a comparable problem not long ago. Using gftp I could see, that the problem came from a newsletter-module of I think PHPBB. It seems that a weak point was taken to install a spam-mailer. You could see it by analyzing how the folders around it got infected by new PHP-Scripts. One concrete example: if you have such code: thecommand = $GET["whatnext"]; system($thecommand); So you would call a website like this: http://xyt.com/index.php?whatnext=ls Then the string "ls" would be passed to index.php It then is executed by "system". Now the attack would be to pass your own string, like: http://xyt.com/index.php?whatnext=ls;cd;cd ..;cd ..;cd etc;cat passwords You might have to replace some chars with HTML-entities like %20 instead of spaces. This is a very obvious vulnerability, there are more advanced as said by John Doe. And software IS buggy. We had the example of a commercial boardsystem, where you registered as new user with restrictions, and then until you did not log in to your account, had access to all boards, even those that are usually just allowed to be viewed by administrators. Mark |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
BarryK
Puppy Master Joined: 09 May 2005 Posts: 6900 Location: Perth, Western Australia |
Looking around my site with gFTP, I quickly discovered that my entire site had been hacked. This covers goosee.com as well as puppylinux.com, each in it's own subdirectory. I contacted servage, they replied that I should change my password, and make sure that all directories are 755, and all files 644. So, I went through, making sure all permissions are okay, uploading the original files when I found a hacked one. But, the thing is, static html pages in 755 directory with 644 permission were also hacked. I did have a lot of html files with 755, and I did notice a preference by the hacker to hack those. But it doesn't explain how 644 files got hacked. I've sent a message to servage asking how that could happen. Right now, I'm nervously watching my site to see if anything more happens to it. There seem to be two different types of hack, one that occurred on Jan 10th, which has injected porno links into some pages. Then the one that I found, a massive hack of my site on Jan 12th, which has inserted redirection code. I'll put the site that I got redirected to, but don't go there!!! Maybe someone can work out what this site does or attempts to do. This is my hacked blog/index.php, but I have inserted some capitalisation to disable it:
_________________ http://bkhome.org/news/ |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
wingruntled
Joined: 20 Feb 2007 Posts: 287 Location: Great Lakes |
Barry Not to sound like an idiot, but. This is old news. You were hacked last year but never got the message. http://murga-linux.com/puppy/viewtopic.php?t=23724 |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
John Doe
Joined: 01 Aug 2005 Posts: 1689 Location: Michigan, US |
I got the name of who is responsible already. Mahmod AbdAllah el Gashmi He lives in Turkey. Just say the word Barry and I'll have him killed. 
He's mentioned on this page: http://spamtrackers.eu/wiki/index.php?title=Hijacked_host I'll post how I figured that out in a bit. I have to go get my nightly brew. |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
Caneri
Joined: 04 Sep 2007 Posts: 1580 Location: Canada |
Well..it looks like puppylinux.ca is also down. My IP address will not resolve to my domain. My tech guys are working on this problem but may be until tomorrow before I get an answer. Sorry all. Eric _________________ Be not afraid to grow slowly, only be afraid of standing still. Chinese Proverb |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
John Doe
Joined: 01 Aug 2005 Posts: 1689 Location: Michigan, US |
Ok, I used wget to request the url Barry posted without using the query string and got a simple file that looks like a login form (it's attached as index.php.txt). Then I used wget to request the url with the query string and got the following pertinent information (the whole dialog is attached as wget-response.txt): HTTP request sent, awaiting response... 302 Found Location: httpCOLON//88.255.94.114/~usersonli/oren/indexDOTphp [following] Connecting to 88.255.94.114:80... failed: Bad file descriptor. Using the ip address I looked up the owner via whois.ripe.net. It's that guy I mentioned above (info in whois.ripe.net.txt). The most interesting part was "Bad file descriptor", that's why your browser froze up. I'm assuming it's some sort of exploit for IE that installs his root kit, which is mentioned at the following post: http://www.bluetack.co.uk/forums/index.php?showtopic=18139&pid=85109&st=0&#entry85109 What a piece of trash. 
|
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
Caneri
Joined: 04 Sep 2007 Posts: 1580 Location: Canada |
I'm not sure if this is related or not. http://www.internetnews.com/security/article.php/3712071 Eric _________________ Be not afraid to grow slowly, only be afraid of standing still. Chinese Proverb |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
John Doe
Joined: 01 Aug 2005 Posts: 1689 Location: Michigan, US |
it's all related somehow 
cool read, thanks for the link (hopefully it wasn't one of them  )
|
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
BarryK
Puppy Master Joined: 09 May 2005 Posts: 6900 Location: Perth, Western Australia |
Okay, if it's an exploit for IE, then likely not targetting Linux and wouldn't have compromised my PC... Anyway, I think I know how my site was violated. Well, not really 'how', just the basic outline. My site has had two violations, one dated Jan 10, the second on Jan 12. Well, you might have seen my recent blog post "The spam that got through" - that was Jan 10. Then, last night - Jan 12 - there was another one. That's two of them, corresponding with my site violations. So, my confidence in WordPress has hit rock bottom. Even if I do upgrade, it seems to be a never ending battle. I've turned off comments - and 'flagman' posted a comment immediately after! Globally turning off comments only affects new posts! Yikes, I hunted through the prefs and there's nothing to globally turn off comments!!! So, I used the "bad words" filter to block everything - how crude. _________________ http://bkhome.org/news/ |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
Previously known as Guest
 Joined: 28 Sep 2005 Posts: 240 |
As I've had an ongoing issue with servage & pkagfiles, one of their "fixes" was to move the account to another datacenter & change ALL permissions (directory & file) to 777! Not the brightest bunch it seems. I've had problems with permissions in the past! 403 errors for no reason. Also it seems they outsource their tech support to India. I will look further into it & probably relocate pkagfiles to another host. pkagfiles is currently working, but am watching closely for issues that may arise & will adjust, take offline if needed. Sorry for any inconveniences. Ron AKA PkaG. |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
Lobster
Official Crustacean  Joined: 04 May 2005 Posts: 15117 Location: Paradox Realm |
I have a Wordpress blog (rarely post to it) Had to turn off the comments due to corrective medication for penile dysfunction and porn spam http://tmxxine.com/wordpress/ corrective medication for penile dysfunction = via*** I can not use the word via*** as Johns efforts to fight the mal merchants changes the word to "poisonous crap" Look how hard John and Flash work to stop spam (and it still gets through . . . ) It makes sense for spammers to code bots for popular services and Wordpress is the top blogging tool. http://www.honeynet.org/papers/bots/botnet-code.html We have the word "Puppy" come up with Puppy Linux in Google Therefore owning that or hijacking it is a commercial decision. An attack is inconvenient, annoying and also can make one paranoid (as if it is a personal attack) 
It is important to maintain ones psychological perspective when this sort of situation occurs (I am occasionally sane enough to recognise that) 
So far the solution seems right: 1. Exposing and dealing with the situation 2. Notifying and working with the software and server providers When the Puppy wiki was attacked with spam bots rather than change to new software Raffy hardened the existing software and even though users have to register many did and some regular users are making many useful contributions
Related to spam is the use of gmail to filter (not ideal but no solution is) Just remember there is a protective cordon of expertise around Puppy. How this situation is dealt with is indicative of a growing maturity. Do we stay in place and fight our corner or run to a new solution (with attendant problems)? Good luck.
_________________ Puppy WIKI Last edited by Lobster on Tue 05 Feb 2008, 00:45; edited 1 time in total |
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
|
Previously known as Guest
Joined: 28 Sep 2005 Posts: 240 |
Interestingly within a few minutes of this post an attack started from: 84.221.65.76 [host-84-221-65-76.cust-adsl.tiscali.it] 80.186.120.215 [a80-186-120-215.elisa-laajakaista.fi] Maybe I'll start posting fscking IP's involved again! I could write a novel of IP addresses.
|
|||||||||||||||
|
||||||||||||||||
|
||||||||||||||||
Serious security breach on Developer Blog
| Page 1 of 9 [121 Posts] | Goto page: 1, 2, 3, ..., 7, 8, 9 Next |
|
|
View previous topic :: View next topic |
|
Forum index » Taking the Puppy out for a walk » Announcements |
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum |
Powered by phpBB © 2001, 2005 phpBB Group