Hey everyone I noticed this thread http://www.interworx.com/forums/showthread.php?t=926&highlight=hack and it seems very applicable to something Im experiencing. I was wondering if somebody could tell me the best way to track down a vulnerable php script like this.
Thanks,
Dave
Hello,
In fact these phpBB exploit are done by BOTS not human. So as long as you’ll have a phpBB not uptodate you will have these exploits. The bots stop when the exploit is not possible. So install the last secure version of phpBB.
If you couldn’t install the last version of phpBB (for example because your client don’t do it) be sure to secure your box :
But even if your box is secure (so the exploit is not done) uou’ll continue to receive these attacks because BOTS check that phpBB is exploitable.
[B]If you can’t upgrade to the last secure release of phpBB u might also suspend the account. In this case the documentroot is
/home/interworx/var/disabled/
[/B]
As there is no phpBB the bots will finish to stop
Hope this help
Pascal
Hi
Well it is well explained i nthe thread you mention.
Generaly these issues come from BOTS that use phpBB or phpNuke exploit. (the most use is phpBB and the viewtopic and highlight)
I’ll install mod_security if you won’t already done.
Also there is 2 scripts of the VERY good rf-x website that you mgiht use :
NSIV (network socket inode validation) and LSM (linuwx socket monitor)
See here http://www.r-fx.org/nsiv.php
We have both and if a php script have a security issue which enable the use of a listen 80 or 443 then NSIV alert us.
In fact, now we have less and less alerts, as we secured our /tmp and wget (+ mod_security)
So my advises is to first try to find which pid is using your 443 port by following the Chris and Paul avises in the thread you mentionned and then try to secure you box :
Hope this help
pascal
ps : Interworx integrate 2 existing r-fx scripts : sim 2.5 (the autorestart feature, you might also tweack conf.sim to add sshd, qmail-smtp and tynidns (djbdns)) and apf (not the last release but it is grreat) so do not install them 
About nsiv of r-fx
Sometimes it might not work fine. I had a pbm with it. It was just because netstat -anpl for httpd didn’t return the same things than some others box
I mean
sometime netstat -anpl returns for httpd
tcp 0 0 :::80 :::* LISTEN 31306/httpd
and on some others box it returns
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31306/httpd
If your netstat -anpl command returnd :::80 and not 0.0.0.0:80 then I’ve done a litlle hack of NSIV
Before
BOUND_PID=netstat -napl | grep LISTEN | grep -v unix | tr ':' ' ' | tr '/' ' ' | awk '{print":"$5" "$9}' | grep -w :$PORT | awk '{print$2}' | tail -n 1
PID=$BOUND_PID
Just ADD
if [ “$PORT” == “80” -o “$PORT” == “443” -o “$PORT” == “22” -o “$PORT” == “2443” ]; then
BOUND_PID=netstat -napl | grep LISTEN | grep -v unix | tr ':' ' ' | tr '/' ' ' | awk '{print":"$4" "$7}' | grep -w :$PORT | awk '{print$2}' | tail -n 1
PID=$BOUND_PID
else
and after the existing BOUND_PID and PID add the fi of the if. So you should have now :
if [ “$PORT” == “80” -o “$PORT” == “443” -o “$PORT” == “22” -o “$PORT” == “2443” ]; then
BOUND_PID=netstat -napl | grep LISTEN | grep -v unix | tr ':' ' ' | tr '/' ' ' | awk '{print":"$4" "$7}' | grep -w :$PORT | awk '{print$2}' | tail -n 1
PID=$BOUND_PID
else
BOUND_PID=netstat -napl | grep LISTEN | grep -v unix | tr ':' ' ' | tr '/' ' ' | awk '{print":"$5" "$9}' | grep -w :$PORT | awk '{print$2}' | tail -n 1
PID=$BOUND_PID
fi
Like this it works fine.
You may also add a rule for iworx-web. If some of you need it, ask me and I’ll give you
Pascal
Pascal what is the best way for secure tmp ?
How change wget to 700 ?
And http://www.r-fx.org/nsiv.php can write complete how too please? : )
I try make run tiem ago but have lot of troubles.
I apreciate more info.
Thanks
Hello
About /tmp it’s depending if /tmp is a partition or a directory. If it is a directory you have to change it as a partition
To change wget to 700 do, from root, via ssh :
which wget
it should return something like
/usr/bin/wget
then do
chmod 700 /the/path/of/wget (generaly /usr/bin/wget)
To change your directory tmp to a mountable partition there is few ways, but if you are not familiar with this, I do not think it’s a good option. Maybe ask to a sys admin.
You might have a look here http://www.eth0.us/tmp but BE CAREFFUL you DO THAT AT YOUR OWN RISK
Hope it helps
Pascal
To change wget to 700 do, from root, via ssh :
which wget
it should return something like
/usr/bin/wget
then do
chmod 700 /the/path/of/wget (generaly /usr/bin/wget)
I know on the NEXCESS.NET side of things that they chmod 750 a bunch of scripts (ftp, wget, lynx, links, curl) and setup a group for each binary (i.e. a wget, curl, lynx etc group) and then for each user who needs access to a given binary they are added to that group. They go as far as chmod’ing perl, php, python, ruby etc 750 as well. Given the massive amount of bots looking for holes it saves many a headache for the admin.
Chris
I know on the NEXCESS.NET side of things that they chmod 750 a bunch of scripts (ftp, wget, lynx, links, curl) and setup a group for each binary (i.e. a wget, curl, lynx etc group) and then for each user who needs access to a given binary they are added to that group. They go as far as chmod’ing perl, php, python, ruby etc 750 as well. Given the massive amount of bots looking for holes it saves many a headache for the admin.
You mean you add the user to that group ? right ?
Because on an interworx box we can’t change the group of files owned by a siteworx account. I think the quota use the group set on files and not the user.
I tell this because if we set the main group of user TOTO, for example to ALLOW or whatever, then all the files created for this user would take a default TOTO.ALLOW owner ? right ? and in this case the quota should not work.
If I understand well you mean you do something like
USERMOD -a -G ALLOW (where ALLOW is the group)
Is it right ?
Pascal
Yes, add user to group Pascal.
Chris
Well it is very simple
1 - Log into your server as root via SSH
Do this
wget http://www.r-fx.ca/downloads/nsiv-current.tar.gz
then
tar -xzf nsiv-current.tar.gz
then
cd nsiv-0.3
then
./install.sh
That it for the installation? Install.sh install everything automaticly (it also creates a cronjob in /etc/cron.d/)
You now just have to configure nsiv
do
vi /usr/local/nsiv/conf.nsiv
just add your email
And that’s all. QUITE EASY
For information rules are in /usr/local/nsiv/rules/
you can edit /usr/local/nsiv/rules/httpd for example
But the default rule should work
To test it just do nsiv -so
If you have pbm check that netstat -anpl returns
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31757/httpd
and not
tcp 0 0 ::::80 ::::* LISTEN 31757/httpd
If it returns the ::::80 then you have to apply my hack above
Hope it helps
Pascal
You may also add a rule for iworx-web. If some of you need it, ask me and I’ll give you
Hi… can you please give me it ?.. thanks
Do you have an how-to for mod-security on CentOS4.4 (x64) and iworx 2.1.3 ?
Thank you in advance
Paulo
when runing nsiv -so, i get the output bellow … is this normal?
Thanks
NSIV version 0.3 <nsiv@r-fx.org>
Copyright (C) 2004, R-fx Networks <proj@r-fx.org>
Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
{chk.httpd} /usr/sbin/httpd inode verified on port 80
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
{chk.httpd_ssl} /usr/sbin/httpd inode verified on port 443
{chk.named} bin value is null, skipping.
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
error encountered in rule /usr/local/nsiv/rules/ocwhttpd
{chk.proftpd} flagged for skip or module does not apply to system, skipping.
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
error encountered in rule /usr/local/nsiv/rules/sendmail
{chk.sshd} flagged for skip or module does not apply to system, skipping.
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Hi
Just set up the good rules 
You doin’t need ocwhttpd for example
About the “Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ” it is because the script does a ps -axu for example rahter than a ps axu (without the - ) but it is safe and not block it, it’s just an information message !
Pascal
Hi Pascal,
Can you post the iworx-web rule ? Thanks
Sometimes i’m getting this warning:
[…]
Inode audit of /usr/sbin/httpd failed during routine checksum. The inode mismatch was as follows:
expected results:
socket port : 443
binary path : /usr/sbin/httpd
binary inode: 11606338
returned results:
binary path :
binary inode: 11606315
The invalid inode in question (11606315) can be located using the command:
find / -inum 11606315
[…]
for ports 443 and 80 … is this normal ?
Thanks again
Regards