Serious security breach on Developer Blog

News, happenings
Message
Author
John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

Mahmod AbdAllah el Gashmi Linux Firewall Rules

#21 Post by John Doe »

willhunt wrote:how do I ban this ip so my machine won;t even go to that IP?
He owns 88.255.94.0 - 88.255.94.255 (that's a T1).

This in a script should work nice. Perhaps someone else has tips for making it better, or in less steps?

Code: Select all

iptables -s 88.244.94.0/88.244.94.255 -A INPUT -j DROP
iptables -d 88.244.94.0/88.244.94.255 -A INPUT -j DROP
iptables -s 88.244.94.0/88.244.94.255 -A FORWARD -j DROP
iptables -d 88.244.94.0/88.244.94.255 -A FORWARD -j DROP
iptables -s 88.244.94.0/88.244.94.255 -A OUTPUT -j DROP
iptables -d 88.244.94.0/88.244.94.255 -A OUTPUT -j DROP

User avatar
willhunt
Posts: 495
Joined: Wed 05 Oct 2005, 18:19

#22 Post by willhunt »

Thanks for the quick answer :)
So am I to take it this kinda behavior is acceptable in turkey?
I've been reading and it seems a lotta people know about him
and his hacks.?
[url=http://hostfile.org/icepak.pet]176 Icewm Themes :!:[/url]
[url=http://tinyurl.com/39fl3x]vlc-0.8.6c-i586.pet[/url]
[url=http://tinyurl.com/2q7cbp]vlc-0.8.6c-i586.pet[/url]

raffy
Posts: 4798
Joined: Wed 25 May 2005, 12:20
Location: Manila

index changed

#23 Post by raffy »

Barry and all,

I now see that puppylinux.org's index file was also changed (I did not have access to FTP last night).

IMHO, this is a major breach of webhosting security, not just of Wordpress. It's a servage.net problem (or its own host).

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#24 Post by Caneri »

Well I got nailed again from Taiwan(maybe)..also attacked my local router a few days ago but I wasn't thinking it to be significant. (wrong I guess).

It may be more than servage as it seems many servers are being hit...judging from what Ive been reading on security zines.

Security levels are at code red on many sites I've seen with hundreds of thousands of commercial/university and city servers being targeted and breached.

It seems to be apache servers that are not up to date...this is where they get into database, php etc.

What a pain!

Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

User avatar
willhunt
Posts: 495
Joined: Wed 05 Oct 2005, 18:19

#25 Post by willhunt »

Caneri wrote
It seems to be apache servers that are not up to date...this is where they get into database, php etc.
it was my understanding that it was a bad cPanel or perl module
did I get this wrong?
[url=http://hostfile.org/icepak.pet]176 Icewm Themes :!:[/url]
[url=http://tinyurl.com/39fl3x]vlc-0.8.6c-i586.pet[/url]
[url=http://tinyurl.com/2q7cbp]vlc-0.8.6c-i586.pet[/url]

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

Re: index changed

#26 Post by John Doe »

raffy wrote:IMHO, this is a major breach of webhosting security, not just of Wordpress. It's a servage.net problem (or its own host).
I'm also starting to think this might be bigger than Wordpress.

I've been reading the comments in the link Sage posted and some of the links they lead to. It seems it might all relate to a new problem that seemed to surface around 11-25-2007 where one can install a rootkit on certain linux boxes via apache/php. One of the things that is happening is the hackers are adding kernel modules that inject code in pages as they are served. Anything else could be going on at that point also. Just cause one groups exploits one way, doesn't mean they all do it the same way.

This might get pretty big. Further fueled by the fact that most of the people running linux have this caviler attitude towards security that amounts to "that can't happen to me, I run linux. That only happens to the idiots that run WinDoze.".

It's too bad we can't take a survey of servage.net users and see if this is a problem for everyone. Might be that their box is the right combo for this exploit. I tried to telnet to see what version they are running but they don't report it. Just that they are running Apache.

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#27 Post by John Doe »

willhunt wrote:Caneri wrote
It seems to be apache servers that are not up to date...this is where they get into database, php etc.
it was my understanding that it was a bad cPanel or perl module
did I get this wrong?
I ran across that also.

Does servage.net use cPanel?

Caneri, does your site have cPanel?

User avatar
cb88
Posts: 1165
Joined: Mon 29 Jan 2007, 03:12
Location: USA
Contact:

#28 Post by cb88 »

i am happily posting from vector linux...! got my conexant modem working with the 14.4 kbs driver..

anyway there has been talk over at ubuntu of a boottime kernel compilation for improved proformance (heh they really need it don't they) this would make kernel module unneeded for most....

just thought you guys might find that interesting...
Taking Puppy Linux to the limit of perfection. meanwhile try "puppy pfix=duct_tape" kernel parem eater.
X86: Sager NP6110 3630QM 16GB ram, Tyan Thunder 2 2x 300Mhz
Sun: SS2 , LX , SS5 , SS10 , SS20 ,Ultra 1, Ultra 10 , T2000
Mac: Platinum Plus, SE/30

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#29 Post by Caneri »

@John Doe,

My host has it's own custom panel and doesn't use cPanel.

They call it XL6 (inhouse name). If they are right they tell me the perl exploit will not work or be very effective here...but I take that with a grain of salt.

They also tell me older software has been a problem across many hosts...and wordpress is a major problem.

Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#30 Post by John Doe »

thanks for the info Caneri and sorry the intrusive questions. I'm just trying to get a really good idea of what's going on so we can all get it fixed and move forward with a sense of security.

for several years, years ago, i used to work on network exploitation with friends. we never messed anyone's stuff up (with one exception) or wrote stupid scripts to spam crap everywhere. that sort of behavior just pisses me off. we were the types who would write you and tell you to get something fixed to protect yourself. it's a shame there are jerks out there that would do such petty things. they probably sell it as some type of "service" to. :roll:

wingruntled

#31 Post by wingruntled »

it's a shame there are jerks out there that would do such petty things. they probably sell it as some type of "service" to.
That or some parent will get arrested by Homeland for what their unsupervised child found on some underground site. :twisted:

User avatar
Ted Dog
Posts: 3965
Joined: Wed 14 Sep 2005, 02:35
Location: Heart of Texas

Satellite signal goes far

#32 Post by Ted Dog »

I noted that MAC addresses to filter out everybody else's traffic can be changed via software on DVB based two way traffic. It is not that hard for a well funded black hacker to capture all traffic via someone else's MAC and decode it remotely. It may be a good idea to ssh to your remote servers and change password. Using secure FTP as needed.
Many of your hosts have been hit, think about it.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#33 Post by Lobster »

:) Barry and many of the coders here would class themselves as hackers. However it is used in the sense of a coder. In popular language hacker means someone who is a 'black hat coder' or cracker (breaking systems or into them).

I was recently 'hacking' into one of my own computers - A second hand Mac with password protection . . . that makes me a 'white hat' cracker.
Most of us are probably crackers at some point in our computer usage.
(in my case completely crackers!) :wink:

The fact that Barrys sites have been targetted by the insertion of porn links, gives an insight into the motivation and reason. They probably think of it as nothing worse than pasting ads over a disused building.

Let us make some good of this. How can we proactive and supportive? 8)
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

nic2109
Posts: 405
Joined: Mon 01 Jan 2007, 20:24
Location: Hayslope, near Middlemarch, Midlands, England

#34 Post by nic2109 »

Sometime pretty soon, when a consensus emerges, it would be very helpful if someone could summarize the things us ordinary penguins need to do to protect both ourselves and everyone else we may inadvertently spray crap out to. I guess that it's servers that are most at risk, but as it's so easy to leave a port open (for example) I think we would all value a checklist of what to set in Puppy.

I'm afraid that I am guilty of smug complacency relying on (a) the firewall in my router and (b) "it's Linux so I don't have a problem". Bah, such naive folly!

I recall that Fedora had 2 modes when installing: "Normal" or "SE" where SE is something like "Secure Edition" or "Security Enhanced". Is it time to create an SE Puppy? Or is that only relevant for Servers? Or maybe it's already possible and all that's needed is a bit of RTFM?

Education needed, wanted, and requested. Please!

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#35 Post by MU »

Again, this is not a Linux-bug, but a PHP or better application problem.
A firewall or such would not help in this case, because the bugs or better the way things were programmed are an open invitation to do everything on the machine that runs it.

Also note, that this usually just affects Web-applications.
A Desktop-User will not be infected by such mechanisms.

Unfortunately, such things make peole very frighten.
Even my colleage reported, that he found forummessages somewhere else about this "Linux-trojan", which it is definately not.

One thing that is important is, that the firefox-team resolves the problem of 100% processor usage on this file not found error.

This is nasty (though not dangerous in a way that a virus would be installed or so).

Mark

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#36 Post by MU »

another issue is, that still many webhosters use PHP4.
The PHP-group has stopped support for this because version 5 fixed several vulnerabilities.
PHP 4 is officially been announced as dead, and hosters are urgently proposed to drop it.

Unfortunately several old content-management systems that are developed no further, still rely on version4.

So hosters still use that.

Mark

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

psychology of attackers

#37 Post by prehistoric »

Something has been missing from this thread. I've held my tongue and lurked, mostly. You are the experts on networks, Puppy software, etc. All I can contribute are observations on the psychology involved in these attacks on the Puppy community. Here's what I think is revealed about the attackers.

1) They're persistent. There has been a pattern of exploits getting increasingly severe over a period of months. (If wingruntled is right, and this is the same bunch, over a very long period.)

2) They're fascinated by Puppy Linux. There's evidence they have been stalking Puppy, studying its software and creator, even learning about the user community, over time. This effort is disproportionate to any possible commercial gain. A distribution which commonly runs things as root represents a challenge, and they must have been frustrated that most of their attacks were shrugged off.

3) They're vulnerable, if exposed. There have been clues pointing in just about every direction, except toward themselves. This looks like deliberate misdirection. The effort put into hiding is a substantial fraction of the total effort. "Previously known as Guest" has seen evidence of real-time monitoring by people, (as well as those IP addresses which could form the basis for a novel). There are patterns here, but the most important is that they are very careful about hiding. Why? If they were planning to announce their exploit to the world I don't think they would be as careful. If they were in a safe haven they wouldn't be as careful. They must fear criminal penalties. Their victims and patsies should all be under different legal systems from the perpetrators.

4) They're immature, and, aside from bragging rights in a closed community, their big motivation is Schadenfreude.

This does not describe a Turkish spam king, who probably hasn't heard of Puppy Linux. It doesn't describe any professional black hat. The market for Puppy hacking skills is still very limited. Where 'bots have been used in these attacks they have had a lot of interactive assistance. The payoff doesn't justify the effort.

This group is small, they are not great intellects. They have spent a lot of time trying to cause trouble before the tools they needed were created by others to attack other systems. (As MU observes, the tools were not specific to Linux. The attackers didn't create them.) They have been using whatever came to hand, and most of it didn't serve their purposes very well, until just recently.

As an example of the importance of a psychological slant, I offer this story about a student who cracked a professor's directory of test material when it was locked down even tighter than Barry's. (Directory 700, files mostly 600.) He created a fake copy of the directory with executable files whose names he guessed. He was able to place it where a common typing error would take the teacher. He used the teacher's habits to trick him into executing a file with his own permissions. He covered the computer activity with fake error messages, indicating typos. He did not crack the entire system, so he didn't have to worry about logs. (In case you're wondering, he was caught when he overreached himself. The administration was not amused, and I was very glad to be innocent, for once.)

The techniques are all ancient now, the thinking is not.

This may stir things up. I hope it will stimulate a shift in perspective. Too much of the response has been simple reaction. The attackers are used to manipulating people, and easily predictable responses will only take us so far.

As for attackers reading this, I think you deserve a share of the angst.

prehistoric

User avatar
willhunt
Posts: 495
Joined: Wed 05 Oct 2005, 18:19

#38 Post by willhunt »

well all this talk of breachs I went out and installed a security plugin
in firefox called finjan when I went to google to search puppy
forum it said this link was bad http://murga-linux.com/puppy/viewtopic. ... a7b8af387e
can someone tell me if this is a false positive?
Image
[url=http://hostfile.org/icepak.pet]176 Icewm Themes :!:[/url]
[url=http://tinyurl.com/39fl3x]vlc-0.8.6c-i586.pet[/url]
[url=http://tinyurl.com/2q7cbp]vlc-0.8.6c-i586.pet[/url]

wingruntled

#39 Post by wingruntled »

willhunt
It mite be because you posted in that thread. LOL
I don't know to how deep that plugin searches but it appears that the hostfile.org link you have in your sig line has a direct link to alt.2600.
nuff said?

User avatar
inged
Posts: 22
Joined: Fri 13 Jul 2007, 05:03

Hacking Toolkit Compromises Thousands Of Web Servers

#40 Post by inged »

Hi there, according to this:

Hacking Toolkit Compromises Thousands Of Web Servers
http://www.informationweek.com/news/sho ... =205603044
In December 2007, Finjan identified more than 10,000 Web servers infected with a malicious hacking kit called "random js toolkit." In June, the company found an average of 30,000 newly infected malicious Web pages every day -- the result of "random js tookit" -- and the company claims the situation is much worse today.
This could be why Puppy web pages are suffering, and also would explain about the Finjan plugin issue that willhunt mentioned

Post Reply