Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 21 Dec 2014, 15:45
All times are UTC - 4
 Forum index » Taking the Puppy out for a walk » Announcements
Serious security breach on Developer Blog
Moderators: Flash, Ian, JohnMurga
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 2 of 9 Posts_count   Goto page: Previous 1, 2, 3, 4, ..., 7, 8, 9 Next
Author Message
Sage

Joined: 04 Oct 2005
Posts: 4833
Location: GB

PostPosted: Sun 13 Jan 2008, 07:24    Post_subject:  

No respite, either:
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
This is looking like a battle of intellects.
Back to top
View user's profile Send_private_message 
dvw86


Joined: 04 May 2005
Posts: 636
Location: Washington State

PostPosted: Sun 13 Jan 2008, 12:29    Post_subject:  

Barry,
You may want to read this blog post by Arnold Kim.
http://normalkid.com/2007/11/20/
Arnold (Arn) is the creator of macrumors.com. It is a very popular rumor and news site focusing on the Apple computer company. He has had many similar issues with PHP based sites including Word Press. His final solution was to use vBulletin, which he has been happy with. Some samples of his post reguarding Word Press include the following.

Quote:
Wordpress Sucks, and Other Thoughts (Including Why I’m on Default Theme)


Quote:
The problem was that there were known exploits in every version… and it was like holding up a sign to anyone out there to “Please Hack Me”.


Quote:
As a result, I decided, I wanted to pay someone to take some responsibility for their software.

Even though vBulletin is more of a forum software, there may be something similer for blogging. Just a thought.
Back to top
View user's profile Send_private_message 
prehistoric


Joined: 23 Oct 2007
Posts: 1320

PostPosted: Sun 13 Jan 2008, 16:10    Post_subject: adding insult to injury
Sub_title: email about spamtrackers identified as spam
 

@John Doe,

When I tried to notify a friend, (retired sys admin,) about that European site, his ISP identified the message as spam or a virus. This was a short, hand-typed, text-only message with no attachments. (I suppose I should have used a sophisticated method of hiding content, like ROT13.)

When the message bounced I got a message from my ISP advising me I had sent contaminated mail and to tell their Postmaster if there had been an error. When I did as requested, that message was also rejected because the Postmaster mail box was full.

I think I finally got the message through by splitting the offending text and telling the recipient how to reassemble it. (Wait, let me check for another bounce.)

Aren't ISPs helpful in these situations?

prehistoric
Back to top
View user's profile Send_private_message 
willhunt


Joined: 05 Oct 2005
Posts: 495

PostPosted: Sun 13 Jan 2008, 17:31    Post_subject:  

how do I ban this ip so my machine won;t even go to that IP?
_________________
176 Icewm Themes Exclamation
vlc-0.8.6c-i586.pet
vlc-0.8.6c-i586.pet
Back to top
View user's profile Send_private_message 
wingruntled

Joined: 20 Feb 2007
Posts: 287
Location: Great Lakes

PostPosted: Sun 13 Jan 2008, 18:02    Post_subject:  

willhunt
you could add the IP address hosts name to your /etc/hosts file.
Just edit to the END of your hosts file with the last two lines as I posted below:

127.0.0.1 localhost puppypc

Code:
127.0.0.1  host-84-221-65-76.cust-adsl.tiscali.it
127.0.0.1  a80-186-120-215.elisa-laajakaista.fi
Back to top
View user's profile Send_private_message 
John Doe

Joined: 01 Aug 2005
Posts: 1689
Location: Michigan, US

PostPosted: Sun 13 Jan 2008, 18:27    Post_subject: Mahmod AbdAllah el Gashmi Linux Firewall Rules
Sub_title: Subject added for "the google".
 

willhunt wrote:
how do I ban this ip so my machine won;t even go to that IP?


He owns 88.255.94.0 - 88.255.94.255 (that's a T1).

This in a script should work nice. Perhaps someone else has tips for making it better, or in less steps?

Code:
iptables -s 88.244.94.0/88.244.94.255 -A INPUT -j DROP
iptables -d 88.244.94.0/88.244.94.255 -A INPUT -j DROP
iptables -s 88.244.94.0/88.244.94.255 -A FORWARD -j DROP
iptables -d 88.244.94.0/88.244.94.255 -A FORWARD -j DROP
iptables -s 88.244.94.0/88.244.94.255 -A OUTPUT -j DROP
iptables -d 88.244.94.0/88.244.94.255 -A OUTPUT -j DROP
Back to top
View user's profile Send_private_message 
willhunt


Joined: 05 Oct 2005
Posts: 495

PostPosted: Sun 13 Jan 2008, 21:09    Post_subject:
Sub_title: Mahmod AbdAllah el Gashmi Linux Firewall Rules
 

Thanks for the quick answer Smile
So am I to take it this kinda behavior is acceptable in turkey?
I've been reading and it seems a lotta people know about him
and his hacks.?

_________________
176 Icewm Themes Exclamation
vlc-0.8.6c-i586.pet
vlc-0.8.6c-i586.pet
Back to top
View user's profile Send_private_message 
raffy

Joined: 25 May 2005
Posts: 4798
Location: Manila

PostPosted: Sun 13 Jan 2008, 21:13    Post_subject: index changed  

Barry and all,

I now see that puppylinux.org's index file was also changed (I did not have access to FTP last night).

IMHO, this is a major breach of webhosting security, not just of Wordpress. It's a servage.net problem (or its own host).
Back to top
View user's profile Send_private_message 
Caneri

Joined: 04 Sep 2007
Posts: 1580
Location: Canada

PostPosted: Sun 13 Jan 2008, 21:31    Post_subject:  

Well I got nailed again from Taiwan(maybe)..also attacked my local router a few days ago but I wasn't thinking it to be significant. (wrong I guess).

It may be more than servage as it seems many servers are being hit...judging from what Ive been reading on security zines.

Security levels are at code red on many sites I've seen with hundreds of thousands of commercial/university and city servers being targeted and breached.

It seems to be apache servers that are not up to date...this is where they get into database, php etc.

What a pain!

Eric

_________________
Be not afraid to grow slowly, only be afraid of standing still.
Chinese Proverb

Back to top
View user's profile Send_private_message 
willhunt


Joined: 05 Oct 2005
Posts: 495

PostPosted: Sun 13 Jan 2008, 21:49    Post_subject:  

Caneri wrote
Quote:
It seems to be apache servers that are not up to date...this is where they get into database, php etc.


it was my understanding that it was a bad cPanel or perl module
did I get this wrong?

_________________
176 Icewm Themes Exclamation
vlc-0.8.6c-i586.pet
vlc-0.8.6c-i586.pet
Back to top
View user's profile Send_private_message 
John Doe

Joined: 01 Aug 2005
Posts: 1689
Location: Michigan, US

PostPosted: Sun 13 Jan 2008, 22:12    Post_subject: Re: index changed  

raffy wrote:
IMHO, this is a major breach of webhosting security, not just of Wordpress. It's a servage.net problem (or its own host).


I'm also starting to think this might be bigger than Wordpress.

I've been reading the comments in the link Sage posted and some of the links they lead to. It seems it might all relate to a new problem that seemed to surface around 11-25-2007 where one can install a rootkit on certain linux boxes via apache/php. One of the things that is happening is the hackers are adding kernel modules that inject code in pages as they are served. Anything else could be going on at that point also. Just cause one groups exploits one way, doesn't mean they all do it the same way.

This might get pretty big. Further fueled by the fact that most of the people running linux have this caviler attitude towards security that amounts to "that can't happen to me, I run linux. That only happens to the idiots that run WinDoze.".

It's too bad we can't take a survey of servage.net users and see if this is a problem for everyone. Might be that their box is the right combo for this exploit. I tried to telnet to see what version they are running but they don't report it. Just that they are running Apache.
Back to top
View user's profile Send_private_message 
John Doe

Joined: 01 Aug 2005
Posts: 1689
Location: Michigan, US

PostPosted: Sun 13 Jan 2008, 22:15    Post_subject:  

willhunt wrote:
Caneri wrote
Quote:
It seems to be apache servers that are not up to date...this is where they get into database, php etc.


it was my understanding that it was a bad cPanel or perl module
did I get this wrong?


I ran across that also.

Does servage.net use cPanel?

Caneri, does your site have cPanel?
Back to top
View user's profile Send_private_message 
cb88


Joined: 28 Jan 2007
Posts: 1169
Location: USA

PostPosted: Sun 13 Jan 2008, 23:07    Post_subject:  

i am happily posting from vector linux...! got my conexant modem working with the 14.4 kbs driver..

anyway there has been talk over at ubuntu of a boottime kernel compilation for improved proformance (heh they really need it don't they) this would make kernel module unneeded for most....

just thought you guys might find that interesting...

_________________
Taking Puppy Linux to the limit of perfection. meanwhile try "puppy pfix=duct_tape" kernel parem eater.
X86: Sager NP6110 3630QM 16GB ram, Tyan Thunder 2 2x 300Mhz
Sun: SS2 , LX , SS5 , SS10 , SS20 ,Ultra 1, Ultra 10 , T2000
Mac: Platinum Plus, SE/30
Back to top
View user's profile Send_private_message Visit_website 
Caneri

Joined: 04 Sep 2007
Posts: 1580
Location: Canada

PostPosted: Mon 14 Jan 2008, 01:41    Post_subject:  

@John Doe,

My host has it's own custom panel and doesn't use cPanel.

They call it XL6 (inhouse name). If they are right they tell me the perl exploit will not work or be very effective here...but I take that with a grain of salt.

They also tell me older software has been a problem across many hosts...and wordpress is a major problem.

Eric

_________________
Be not afraid to grow slowly, only be afraid of standing still.
Chinese Proverb

Back to top
View user's profile Send_private_message 
John Doe

Joined: 01 Aug 2005
Posts: 1689
Location: Michigan, US

PostPosted: Mon 14 Jan 2008, 02:58    Post_subject:  

thanks for the info Caneri and sorry the intrusive questions. I'm just trying to get a really good idea of what's going on so we can all get it fixed and move forward with a sense of security.

for several years, years ago, i used to work on network exploitation with friends. we never messed anyone's stuff up (with one exception) or wrote stupid scripts to spam crap everywhere. that sort of behavior just pisses me off. we were the types who would write you and tell you to get something fixed to protect yourself. it's a shame there are jerks out there that would do such petty things. they probably sell it as some type of "service" to. Rolling Eyes
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 2 of 9 Posts_count   Goto page: Previous 1, 2, 3, 4, ..., 7, 8, 9 Next
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Taking the Puppy out for a walk » Announcements
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0918s ][ Queries: 13 (0.0052s) ][ GZIP on ]