Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 02 Aug 2014, 05:15
All times are UTC - 4
 Forum index » Taking the Puppy out for a walk » Announcements
Serious security breach on Developer Blog
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 8 of 9 [121 Posts]   Goto page: Previous 1, 2, 3, ..., 6, 7, 8, 9 Next
Author Message
wingruntled

Joined: 20 Feb 2007
Posts: 287
Location: Great Lakes

PostPosted: Wed 23 Jan 2008, 05:35    Post subject:  

ttuuxxx
Your better have a look at the last four posts on your forum. Shocked
Yep, phpBB does seem to be a problem, but you are running the old version also. Have a look at the new version.
Back to top
View user's profile Send private message 
ttuuxxx


Joined: 05 May 2007
Posts: 10747
Location: Ontario Canada,Sydney Australia

PostPosted: Wed 23 Jan 2008, 08:03    Post subject:  

Yes but its what my server host provides me as part of the "FANTISICO" package, Maybe with the newer servers that they just installed that it would be updated, Smile If not i'll just have to change the forum. Probably after the 1st.
ttuuxxx

_________________
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games Smile

Back to top
View user's profile Send private message Visit poster's website 
Pizzasgood


Joined: 04 May 2005
Posts: 6270
Location: Knoxville, TN, USA

PostPosted: Wed 23 Jan 2008, 18:25    Post subject:  

FWIW, phpBB is pretty simple to install by hand. I think you might need to create a mysql database and user for it first, but otherwise it's pretty basic. And the website control panel thing usually has a mysql tool.
_________________
Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib

Back to top
View user's profile Send private message Visit poster's website 
ttuuxxx


Joined: 05 May 2007
Posts: 10747
Location: Ontario Canada,Sydney Australia

PostPosted: Thu 24 Jan 2008, 00:52    Post subject:  

Pizzasgood wrote:
FWIW, phpBB is pretty simple to install by hand. I think you might need to create a mysql database and user for it first, but otherwise it's pretty basic. And the website control panel thing usually has a mysql tool.


Yes I've installed phpbb before on another server using putty, But my server host does not allow any server side scripting or putty, Basically i can only use fantisico, so my arms are tied, they did say they would let me use it if I sent them a copy of my drivers license and 1 other for of id, it for a security measure.
ttuuxxx

_________________
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games Smile

Back to top
View user's profile Send private message Visit poster's website 
wingruntled

Joined: 20 Feb 2007
Posts: 287
Location: Great Lakes

PostPosted: Thu 24 Jan 2008, 11:23    Post subject:  

ttuuxxx
Now what?
Quote:
Server not found

Firefox can't find the server at www.ttuuxxx.com.
Back to top
View user's profile Send private message 
Caneri

Joined: 04 Sep 2007
Posts: 1580
Location: Canada

PostPosted: Thu 24 Jan 2008, 11:38    Post subject:  

I had a bit of trouble this morning...should be fixed..I hope.

This is the problem..they got around my ban..sheesh.

EDIT: Link removed



Eric

_________________
Be not afraid to grow slowly, only be afraid of standing still.
Chinese Proverb


Last edited by Caneri on Thu 24 Jan 2008, 14:42; edited 1 time in total
Back to top
View user's profile Send private message 
ttuuxxx


Joined: 05 May 2007
Posts: 10747
Location: Ontario Canada,Sydney Australia

PostPosted: Thu 24 Jan 2008, 11:51    Post subject:  

wingruntled wrote:
ttuuxxx
Now what?
Quote:
Server not found

Firefox can't find the server at www.ttuuxxx.com.


Thats because they are changing servers and i'll have to redirect my domain to the new server, I'll do it when i get home tonight
ttuuuxxx

_________________
http://audio.online-convert.com/ <-- excellent site
http://samples.mplayerhq.hu/A-codecs/ <-- Codec Test Files
http://html5games.com/ <-- excellent HTML5 games Smile

Back to top
View user's profile Send private message Visit poster's website 
cplater


Joined: 11 Jun 2005
Posts: 56
Location: Huntsville, Alabama

PostPosted: Fri 25 Jan 2008, 10:39    Post subject:  

ttuuxxx wrote:
Pizzasgood wrote:
FWIW, phpBB is pretty simple to install by hand. I think you might need to create a mysql database and user for it first, but otherwise it's pretty basic. And the website control panel thing usually has a mysql tool.


Yes I've installed phpbb before on another server using putty, But my server host does not allow any server side scripting or putty, Basically i can only use fantisico, so my arms are tied, they did say they would let me use it if I sent them a copy of my drivers license and 1 other for of id, it for a security measure.
ttuuxxx


Sound like you need a new hosting company.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10962
Location: Arizona USA

PostPosted: Tue 29 Jan 2008, 10:07    Post subject:  

How to avoid being a phishing Webserver admin
I don't know if that's what's going on, but it's worth a read.
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1255

PostPosted: Wed 30 Jan 2008, 09:52    Post subject: open new thread?
Subject description: need a place to discuss security beyond this incident
 

I've exchanged PMs with Flash about issues raised by the above article and he has decided it's time to take general security discussions public. We'll see where he and John Murga decide to put this.

Checking the pages linked in the article above I found a new report on servertune.com

Even if the incidents we are discussing did not involve the exact same software there are real similarities. While the targets were servers there is a possible motivation for attacks on both Barry's site and ttuuxxx's.

The exploit above used a rootkit implemented through loadable kernel modules to propagate js_random. The ultimate goal was not simply to compromise a Linux system, but rather to compromise all sites and systems served by that system, regardless of type. The purpose was phishing.

As yet there are few servers running Puppy, so we would appear to be out of their gun sights. This may give us a false sense of security.

I have already noted two types of people fascinated by Puppy: system support staff, black hat hackers. Because Puppy is fast, and more convenient than other tools, and running entirely in RAM protects you from a possibly corrupt hard drive, (or protects the hard drive from you,) systems people often like to boot Puppy so they can log in to servers from any computer, without worrying about what software the local computer is running or about leaving sensitive data on that system. Black hats also like the stealth characteristics, in addition to convenience and power.

While this provides one dimension of security, the fact that people trust it makes Puppy a tempting target. If, and this is only a possibility, a black hat were able to install a rootkit in an ISO image which was widely copied he could run a key logger which would squirt out the results of a session to a drop site on the net under cover of other operations. Doing this at shutdown would mean users would be unlikely to notice the activity. This could be used to collect passwords for servers. It would explain how attackers were able to break into a system in record time. (For any black hats reading this I want you to also consider the possibility you are not at the top of the food chain. Stealing a 'bot net from someone who can't scream for help has a large payoff. Maybe the guy who passed you those tools wasn't the friend you thought.)

So, even if Puppy users themselves are not tempting targets to exploit, they may provide access to more lucrative victims. In this model BarryK would be the highest value target, while someone who distributes a popular derivative, like ttuuxxx's Fire Hydrant, would be next in line. This would make the spamming a distraction from the real and more sinister purpose.

I trust BarryK more than many people I regularly meet face to face. This does not mean that code which has passed through his hands retains some virtue like a relic of a saint. We are given the results of Barry's efforts and encouraged to modify them, if we accept responsibility for the consequences. If we do not already have malicious modifications around, it is only a matter of time until they show up.

All the times I have told people about running in RAM without touching the hard drive I've assumed I used "pfix=ram" to assure this. If someone told me they didn't use this option I would ask "What did you expect to happen?" While testing the "Junior" edition of Dragon Puppy, where the creator was trying everything to get boot time down, I found out I might not get the chance to enter options. Simply hitting control-alt-delete did not prevent a system update, even though it never got as far as bringing up the X window system. I restored my previous system when I saw the changes. This made me think: "What if someone deliberately exploited update to propagate malware?" Get a rootkit into an ISO image and all bets about security are off.

Comments?

prehistoric
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1255

PostPosted: Thu 07 Feb 2008, 14:36    Post subject: avoiding paranoia  

Here's an update on my progress, with an emphasis on things not found.

I still have not found a confirmed malicious Puppy kernel module. This probably takes more skilled labor than attackers want to invest against Puppy.

I haven't found a malicious browser for Puppy, although this would appear to be easier to implement. Old browsers with unpatched vulnerabilities are possible points of entry, but can't be easily identified as malware.

In the last few days people have reported several, unrelated incidents which show evidence of the js_random attack.

Here's one that stumped me for a time. A school where I had donated a computer reported it was displaying messages about scripts taking too long. There was a mention of Flash player. I assumed the machine had been infected and brought it home to check in isolation.

At home, the problem was impossible to reproduce. This is a particularly simple set up, running W98SE because the school uses Windoze VPN software, with FireFox 2.0.0.11. It is only used by first graders for one site teaching reading. The site uses javascript, not java. It has not previously required Flash, and did not when I tested it from home. The scripts involved are simple and have survived a great deal of testing.

The machine in question shows no signs of malware, and the spyware guard I installed is working. Other tools report it is clean. The school system's network does not appear to be compromised, AFAIK.

Even though js_random runs on servers with LAMP (Linux-Apache-MySQL-Php) its ultimate targets are the credit cards of people on Windows systems. The initial entry for most victims of js_random comes from javascript inserted after the code leaves the http server and before it reaches the user's browser. In security terms this is a "man in the middle" attack. The injected code redirects the browser to a site which tests for several common vulnerabilities. One exposed hole deals with "cross domain scripting". A lot of people are running browsers without the fixes in either the browser or in a plugin like Flash. (At the moment I am running Opera 9.25, which has them.) This would account for the message about scripting and Flash on the school computer. The browser was redirected to a site which tried to test a Flash plugin which was not used by the legitimate site.

The way attackers get into systems on the first try shows they are stealing passwords and, presumably, keeping them in a massive database.

We need to remain watchful, to avoid distributing infected systems, but the primary problem still appears to be on servers, which are, in general, running a different version of Linux. Malicious attacks on Puppy sites are the result of powerful tools and compromised passwords, not great skill on the part of people using the tools.

One final point, having absolute security in one direction, say, running entirely in RAM, says nothing about security in another direction. We are as vulnerable to "man in the middle" attacks as other computer users.

Regards,

prehistoric
Back to top
View user's profile Send private message 
HairyWill


Joined: 26 May 2006
Posts: 2949
Location: Southampton, UK

PostPosted: Thu 07 Feb 2008, 15:28    Post subject: Re: avoiding paranoia  

prehistoric wrote:
Here's one that stumped me for a time. A school where I had donated a computer reported it was displaying messages about scripts taking too long. There was a mention of Flash player. I assumed the machine had been infected and brought it home to check in isolation.
This is probably just a javascript intensive site and a slow processor. I can reproduce this on my machine (1.2Ghz cpu) with the following javascript
Code:
<h1 onclick="a=0;for(i=0;i<100000;i++){a=a+i;};alert(a)">foo</h1>
Presumably the browser is just giving you a chance to abort buggy javascript that has taken too long to complete.
_________________
Will
contribute: community website, screenshots, puplets, wiki, rss
Back to top
View user's profile Send private message 
prehistoric


Joined: 23 Oct 2007
Posts: 1255

PostPosted: Thu 07 Feb 2008, 16:34    Post subject: buggy javascript  

@HairyWill,

This could not be reproduced with the same machine, same slow processor, accessing the same site through my connection. The machine had worked for weeks before, on the same site, running the same lessons, without displaying the message. My conclusion was that the javascript it was running at the time of the message was not exactly the same script sent out by the originating site, which is precisely what js_random does. It could also be a bottleneck in the school''s network which caused delays, but that leaves the mention of Flash to explain.

There have been other indications of redirects in totally unrelated incidents recently, all over the 'net. I'm frustrated because these seem to happen in circumstances where solid evidence is hard to collect. (You can imagine the description I got from the school.) Attackers probe for the weakest links.

Next question: if this was a deliberate attempt, where was the compromised machine that injected the extra script?

My comment about Puppy's vulnerability to "man in the middle" attacks remains valid even if I am totally wrong about the school.

We live in interesting times.

prehistoric

Added: I'm sorry I ever mentioned a problem on W98 that wasn't reproducible. Please, hold your fire. I'm human too, as I often prove.

Still Later: Well, the browser at the school was being redirected, and the problem did involve software. Keywords: internet, keyboard, playdough
Back to top
View user's profile Send private message 
nic2109

Joined: 01 Jan 2007
Posts: 406
Location: Hayslope, near Middlemarch, Midlands, England

PostPosted: Mon 14 Apr 2008, 09:35    Post subject:  

I know that this topic has died down recently - though the Servage problems haven't gone away and have simply been by-passed - but this sort of vulnerability is (at last) reaching mainstream media consciousness.

See http://news.bbc.co.uk/1/hi/technology/7345990.stm

_________________
Nick
Back to top
View user's profile Send private message 
Nathan F


Joined: 08 Jun 2005
Posts: 1760
Location: Wadsworth, OH (occasionally home)

PostPosted: Fri 18 Apr 2008, 22:12    Post subject:  

I just had a really similar attack on grafpup.org earlier today. Every php script had it's permissions changed to 777, and had a php include inserted into the bottom. The include pointed to a jpeg image in my coppermine gallery, which was of course a fake and in reality was a php script. I caught it while it was happening and haven't had a chance to figure out what the script was trying to do yet.

Nathan

_________________
Bring on the locusts ...
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger 
Display posts from previous:   Sort by:   
Page 8 of 9 [121 Posts]   Goto page: Previous 1, 2, 3, ..., 6, 7, 8, 9 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Taking the Puppy out for a walk » Announcements
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1075s ][ Queries: 13 (0.0071s) ][ GZIP on ]