Serious security breach on Developer Blog

News, happenings
Message
Author
User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

Dreamweaver under WINE

#101 Post by prehistoric »

@ttuuxxx,

A friend who teaches classes about internet development also has a Dreamweaver habit that is hard to break. Some weeks ago I sent him a note after I heard that Dreamweaver now works on Linux under WINE. Haven't had a response from him. If you want the reference I can dig it out, but I expect you can find it faster.

prehistoric

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

#102 Post by ttuuxxx »

If Dreamweaver cs3 and Photoshop cs3 works under wine, I'll format my web development xp PC to puppy this weekend, But first i'll try it on my Fire Hydrant pc, make sure it works fine, better safe then sorry :) Hmmm I also would need a dvd burning program that removes menus,css, macrovision. Any Ideas? I always copy my kids dvd's because they are really hard on the orginals, so i give them the copies, that way I always have a perfect backup. Since Filezilla already works on puppy as a pet package, thats my favorite FTP program and then Fireftp the Firefox addon, well have to go to work.
ttuuxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

User avatar
bobwrit
Posts: 283
Joined: Mon 12 Mar 2007, 23:33
Contact:

#103 Post by bobwrit »

ttuuxxx wrote:\ I think i'll have to change to a different forum, I get tooooooo much porn ads anyways and that really peeves me off
Do you want a diffrent host for the forum and then just have a page auto refer you or just diffrent forum software?
I need help with my forum. [b][u]LINK:[/u][/b][url]http://www.programers.co.nr/[/url]
[url]http://www.freewebs.com/programm/iframe.html[/url] is my gateway page...

jimhap
Posts: 63
Joined: Sat 03 Mar 2007, 16:51
Contact:

#104 Post by jimhap »

Wow... all of this while I was away????

Whoever did this is weird and mad. Obviously they want to kill Puppy for no reason. :evil:

As for security stuff, here is my story:
My website was hacked. The index.html had been changed. THis guy was also attempting to install viruses on me to, with an MP3 virus.

And the system the host was running had PHP safe be on the mode on.
I later found out it was either the control panels fault, or the fact that the server was insecure, and was hacked into.


@BarryK:
Suggestion: maybe use what Xorg's website uses: MoinMoin.

I think it may Servage's end. They had security holes that was never noticed until now.

-------------

As someone said already, it has been a pattern. And as scary as it is, I have came to a conclusion: since Linux is rising, the crackers are rising too. They are interested in Linux now. I have to say, Linux had a victory. Compiz Fusion rocks ;) and everything went wild. And Vista just died. But now, the theory hat a virus can't kill Linux unless under special conditions is put to the test.

And why am I drawing this conclusion? IT is a pattern.

There was another shock at Ubuntu.....
(I was fooling around with Ubuntu for a while....)
On their forums, some crazy dumb people were eager enough to let newbies kill themselves!!!! :evil:

(http://ubuntuforums.org/announcement.php?f=13)

Hope there is no more attacks at Puppy anymore.....

jimhap

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

#105 Post by ttuuxxx »

bobwrit wrote:
ttuuxxx wrote:\ I think i'll have to change to a different forum, I get tooooooo much porn ads anyways and that really peeves me off
Do you want a diffrent host for the forum and then just have a page auto refer you or just diffrent forum software?
Thanks but my service provider does a good job, Just a change of software I think I need to do. Phpbb just doesn't seem to be safe.
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

wingruntled

#106 Post by wingruntled »

ttuuxxx
Your better have a look at the last four posts on your forum. :shock:
Yep, phpBB does seem to be a problem, but you are running the old version also. Have a look at the new version.

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

#107 Post by ttuuxxx »

Yes but its what my server host provides me as part of the "FANTISICO" package, Maybe with the newer servers that they just installed that it would be updated, :) If not i'll just have to change the forum. Probably after the 1st.
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#108 Post by Pizzasgood »

FWIW, phpBB is pretty simple to install by hand. I think you might need to create a mysql database and user for it first, but otherwise it's pretty basic. And the website control panel thing usually has a mysql tool.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

#109 Post by ttuuxxx »

Pizzasgood wrote:FWIW, phpBB is pretty simple to install by hand. I think you might need to create a mysql database and user for it first, but otherwise it's pretty basic. And the website control panel thing usually has a mysql tool.
Yes I've installed phpbb before on another server using putty, But my server host does not allow any server side scripting or putty, Basically i can only use fantisico, so my arms are tied, they did say they would let me use it if I sent them a copy of my drivers license and 1 other for of id, it for a security measure.
ttuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

wingruntled

#110 Post by wingruntled »

ttuuxxx
Now what?
Server not found

Firefox can't find the server at www.ttuuxxx.com.

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#111 Post by Caneri »

I had a bit of trouble this morning...should be fixed..I hope.

This is the problem..they got around my ban..sheesh.

EDIT: Link removed



Eric
Last edited by Caneri on Thu 24 Jan 2008, 18:42, edited 1 time in total.
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

User avatar
ttuuxxx
Posts: 11171
Joined: Sat 05 May 2007, 10:00
Location: Ontario Canada,Sydney Australia
Contact:

#112 Post by ttuuxxx »

wingruntled wrote:ttuuxxx
Now what?
Server not found

Firefox can't find the server at www.ttuuxxx.com.
Thats because they are changing servers and i'll have to redirect my domain to the new server, I'll do it when i get home tonight
ttuuuxxx
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games :)

User avatar
cplater
Posts: 56
Joined: Sat 11 Jun 2005, 11:51
Location: Huntsville, Alabama

#113 Post by cplater »

ttuuxxx wrote:
Pizzasgood wrote:FWIW, phpBB is pretty simple to install by hand. I think you might need to create a mysql database and user for it first, but otherwise it's pretty basic. And the website control panel thing usually has a mysql tool.
Yes I've installed phpbb before on another server using putty, But my server host does not allow any server side scripting or putty, Basically i can only use fantisico, so my arms are tied, they did say they would let me use it if I sent them a copy of my drivers license and 1 other for of id, it for a security measure.
ttuuxxx
Sound like you need a new hosting company.

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#114 Post by Flash »

How to avoid being a phishing Webserver admin
I don't know if that's what's going on, but it's worth a read.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

open new thread?

#115 Post by prehistoric »

I've exchanged PMs with Flash about issues raised by the above article and he has decided it's time to take general security discussions public. We'll see where he and John Murga decide to put this.

Checking the pages linked in the article above I found a new report on servertune.com

Even if the incidents we are discussing did not involve the exact same software there are real similarities. While the targets were servers there is a possible motivation for attacks on both Barry's site and ttuuxxx's.

The exploit above used a rootkit implemented through loadable kernel modules to propagate js_random. The ultimate goal was not simply to compromise a Linux system, but rather to compromise all sites and systems served by that system, regardless of type. The purpose was phishing.

As yet there are few servers running Puppy, so we would appear to be out of their gun sights. This may give us a false sense of security.

I have already noted two types of people fascinated by Puppy: system support staff, black hat hackers. Because Puppy is fast, and more convenient than other tools, and running entirely in RAM protects you from a possibly corrupt hard drive, (or protects the hard drive from you,) systems people often like to boot Puppy so they can log in to servers from any computer, without worrying about what software the local computer is running or about leaving sensitive data on that system. Black hats also like the stealth characteristics, in addition to convenience and power.

While this provides one dimension of security, the fact that people trust it makes Puppy a tempting target. If, and this is only a possibility, a black hat were able to install a rootkit in an ISO image which was widely copied he could run a key logger which would squirt out the results of a session to a drop site on the net under cover of other operations. Doing this at shutdown would mean users would be unlikely to notice the activity. This could be used to collect passwords for servers. It would explain how attackers were able to break into a system in record time. (For any black hats reading this I want you to also consider the possibility you are not at the top of the food chain. Stealing a 'bot net from someone who can't scream for help has a large payoff. Maybe the guy who passed you those tools wasn't the friend you thought.)

So, even if Puppy users themselves are not tempting targets to exploit, they may provide access to more lucrative victims. In this model BarryK would be the highest value target, while someone who distributes a popular derivative, like ttuuxxx's Fire Hydrant, would be next in line. This would make the spamming a distraction from the real and more sinister purpose.

I trust BarryK more than many people I regularly meet face to face. This does not mean that code which has passed through his hands retains some virtue like a relic of a saint. We are given the results of Barry's efforts and encouraged to modify them, if we accept responsibility for the consequences. If we do not already have malicious modifications around, it is only a matter of time until they show up.

All the times I have told people about running in RAM without touching the hard drive I've assumed I used "pfix=ram" to assure this. If someone told me they didn't use this option I would ask "What did you expect to happen?" While testing the "Junior" edition of Dragon Puppy, where the creator was trying everything to get boot time down, I found out I might not get the chance to enter options. Simply hitting control-alt-delete did not prevent a system update, even though it never got as far as bringing up the X window system. I restored my previous system when I saw the changes. This made me think: "What if someone deliberately exploited update to propagate malware?" Get a rootkit into an ISO image and all bets about security are off.

Comments?

prehistoric

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

avoiding paranoia

#116 Post by prehistoric »

Here's an update on my progress, with an emphasis on things not found.

I still have not found a confirmed malicious Puppy kernel module. This probably takes more skilled labor than attackers want to invest against Puppy.

I haven't found a malicious browser for Puppy, although this would appear to be easier to implement. Old browsers with unpatched vulnerabilities are possible points of entry, but can't be easily identified as malware.

In the last few days people have reported several, unrelated incidents which show evidence of the js_random attack.

Here's one that stumped me for a time. A school where I had donated a computer reported it was displaying messages about scripts taking too long. There was a mention of Flash player. I assumed the machine had been infected and brought it home to check in isolation.

At home, the problem was impossible to reproduce. This is a particularly simple set up, running W98SE because the school uses Windoze VPN software, with FireFox 2.0.0.11. It is only used by first graders for one site teaching reading. The site uses javascript, not java. It has not previously required Flash, and did not when I tested it from home. The scripts involved are simple and have survived a great deal of testing.

The machine in question shows no signs of malware, and the spyware guard I installed is working. Other tools report it is clean. The school system's network does not appear to be compromised, AFAIK.

Even though js_random runs on servers with LAMP (Linux-Apache-MySQL-Php) its ultimate targets are the credit cards of people on Windows systems. The initial entry for most victims of js_random comes from javascript inserted after the code leaves the http server and before it reaches the user's browser. In security terms this is a "man in the middle" attack. The injected code redirects the browser to a site which tests for several common vulnerabilities. One exposed hole deals with "cross domain scripting". A lot of people are running browsers without the fixes in either the browser or in a plugin like Flash. (At the moment I am running Opera 9.25, which has them.) This would account for the message about scripting and Flash on the school computer. The browser was redirected to a site which tried to test a Flash plugin which was not used by the legitimate site.

The way attackers get into systems on the first try shows they are stealing passwords and, presumably, keeping them in a massive database.

We need to remain watchful, to avoid distributing infected systems, but the primary problem still appears to be on servers, which are, in general, running a different version of Linux. Malicious attacks on Puppy sites are the result of powerful tools and compromised passwords, not great skill on the part of people using the tools.

One final point, having absolute security in one direction, say, running entirely in RAM, says nothing about security in another direction. We are as vulnerable to "man in the middle" attacks as other computer users.

Regards,

prehistoric

User avatar
HairyWill
Posts: 2928
Joined: Fri 26 May 2006, 23:29
Location: Southampton, UK

Re: avoiding paranoia

#117 Post by HairyWill »

prehistoric wrote:Here's one that stumped me for a time. A school where I had donated a computer reported it was displaying messages about scripts taking too long. There was a mention of Flash player. I assumed the machine had been infected and brought it home to check in isolation.
This is probably just a javascript intensive site and a slow processor. I can reproduce this on my machine (1.2Ghz cpu) with the following javascript

Code: Select all

<h1 onclick="a=0;for(i=0;i<100000;i++){a=a+i;};alert(a)">foo</h1>
Presumably the browser is just giving you a chance to abort buggy javascript that has taken too long to complete.
Will
contribute: [url=http://www.puppylinux.org]community website[/url], [url=http://tinyurl.com/6c3nm6]screenshots[/url], [url=http://tinyurl.com/6j2gbz]puplets[/url], [url=http://tinyurl.com/57gykn]wiki[/url], [url=http://tinyurl.com/5dgr83]rss[/url]

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

buggy javascript

#118 Post by prehistoric »

@HairyWill,

This could not be reproduced with the same machine, same slow processor, accessing the same site through my connection. The machine had worked for weeks before, on the same site, running the same lessons, without displaying the message. My conclusion was that the javascript it was running at the time of the message was not exactly the same script sent out by the originating site, which is precisely what js_random does. It could also be a bottleneck in the school''s network which caused delays, but that leaves the mention of Flash to explain.

There have been other indications of redirects in totally unrelated incidents recently, all over the 'net. I'm frustrated because these seem to happen in circumstances where solid evidence is hard to collect. (You can imagine the description I got from the school.) Attackers probe for the weakest links.

Next question: if this was a deliberate attempt, where was the compromised machine that injected the extra script?

My comment about Puppy's vulnerability to "man in the middle" attacks remains valid even if I am totally wrong about the school.

We live in interesting times.

prehistoric

Added: I'm sorry I ever mentioned a problem on W98 that wasn't reproducible. Please, hold your fire. I'm human too, as I often prove.

Still Later: Well, the browser at the school was being redirected, and the problem did involve software. Keywords: internet, keyboard, playdough

nic2109
Posts: 405
Joined: Mon 01 Jan 2007, 20:24
Location: Hayslope, near Middlemarch, Midlands, England

#119 Post by nic2109 »

I know that this topic has died down recently - though the Servage problems haven't gone away and have simply been by-passed - but this sort of vulnerability is (at last) reaching mainstream media consciousness.

See http://news.bbc.co.uk/1/hi/technology/7345990.stm
[color=darkblue][b][size=150]Nick[/size][/b][/color]

User avatar
Nathan F
Posts: 1764
Joined: Wed 08 Jun 2005, 14:45
Location: Wadsworth, OH (occasionally home)
Contact:

#120 Post by Nathan F »

I just had a really similar attack on grafpup.org earlier today. Every php script had it's permissions changed to 777, and had a php include inserted into the bottom. The include pointed to a jpeg image in my coppermine gallery, which was of course a fake and in reality was a php script. I caught it while it was happening and haven't had a chance to figure out what the script was trying to do yet.

Nathan
Bring on the locusts ...

Post Reply