Security Issue

Hey everyone I noticed this thread http://www.interworx.com/forums/showthread.php?t=926&highlight=hack and it seems very applicable to something Im experiencing. I was wondering if somebody could tell me the best way to track down a vulnerable php script like this.

Thanks,
Dave

Hello,

In fact these phpBB exploit are done by BOTS not human. So as long as you’ll have a phpBB not uptodate you will have these exploits. The bots stop when the exploit is not possible. So install the last secure version of phpBB.

If you couldn’t install the last version of phpBB (for example because your client don’t do it) be sure to secure your box :

  • The simple way is to chmod wget to 700
  • You might also use mod_security with a rule like this one
  • The best is to have a /tmp partition with noexec,nosuid in /etc/fstab

But even if your box is secure (so the exploit is not done) uou’ll continue to receive these attacks because BOTS check that phpBB is exploitable.

[B]If you can’t upgrade to the last secure release of phpBB u might also suspend the account. In this case the documentroot is

/home/interworx/var/disabled/
[/B]

As there is no phpBB the bots will finish to stop

Hope this help

Pascal

Hi

Well it is well explained i nthe thread you mention.

Generaly these issues come from BOTS that use phpBB or phpNuke exploit. (the most use is phpBB and the viewtopic and highlight)

I’ll install mod_security if you won’t already done.

Also there is 2 scripts of the VERY good rf-x website that you mgiht use :
NSIV (network socket inode validation) and LSM (linuwx socket monitor)
See here http://www.r-fx.org/nsiv.php

We have both and if a php script have a security issue which enable the use of a listen 80 or 443 then NSIV alert us.

In fact, now we have less and less alerts, as we secured our /tmp and wget (+ mod_security)

So my advises is to first try to find which pid is using your 443 port by following the Chris and Paul avises in the thread you mentionned and then try to secure you box :

  • The best is to secure /tmp (create a /tmp partition with noexec, nosuid)
  • Secure wget . chmod it to 700
  • Install mod_security and install rules that stop know security issues of major scripts like phpBB, phpNuke, … (on a share webhosting you can’t control that all your clients always install the last secure release of their scripts. And i’m pretty sure they’ll really apreciate you alert them there is a security issue in their scripts and you ask them to upgrade to the last release)
  • Install these Great r-fx tools

Hope this help

pascal
ps : Interworx integrate 2 existing r-fx scripts : sim 2.5 (the autorestart feature, you might also tweack conf.sim to add sshd, qmail-smtp and tynidns (djbdns)) and apf (not the last release but it is grreat) so do not install them :slight_smile:

About nsiv of r-fx

Sometimes it might not work fine. I had a pbm with it. It was just because netstat -anpl for httpd didn’t return the same things than some others box

I mean
sometime netstat -anpl returns for httpd

tcp        0      0 :::80                       :::*                        LISTEN      31306/httpd

and on some others box it returns

tcp        0      0 0.0.0.0:80                       0.0.0.0:*                        LISTEN      31306/httpd

If your netstat -anpl command returnd :::80 and not 0.0.0.0:80 then I’ve done a litlle hack of NSIV
Before

BOUND_PID=netstat -napl | grep LISTEN | grep -v unix | tr ':' ' ' | tr '/' ' ' | awk '{print":"$5" "$9}' | grep -w :$PORT | awk '{print$2}' | tail -n 1
PID=$BOUND_PID

Just ADD

if [ “$PORT” == “80” -o “$PORT” == “443” -o “$PORT” == “22” -o “$PORT” == “2443” ]; then
BOUND_PID=netstat -napl | grep LISTEN | grep -v unix | tr ':' ' ' | tr '/' ' ' | awk '{print":"$4" "$7}' | grep -w :$PORT | awk '{print$2}' | tail -n 1
PID=$BOUND_PID
else

and after the existing BOUND_PID and PID add the fi of the if. So you should have now :

if [ “$PORT” == “80” -o “$PORT” == “443” -o “$PORT” == “22” -o “$PORT” == “2443” ]; then
BOUND_PID=netstat -napl | grep LISTEN | grep -v unix | tr ':' ' ' | tr '/' ' ' | awk '{print":"$4" "$7}' | grep -w :$PORT | awk '{print$2}' | tail -n 1
PID=$BOUND_PID
else
BOUND_PID=netstat -napl | grep LISTEN | grep -v unix | tr ':' ' ' | tr '/' ' ' | awk '{print":"$5" "$9}' | grep -w :$PORT | awk '{print$2}' | tail -n 1
PID=$BOUND_PID
fi

Like this it works fine.

You may also add a rule for iworx-web. If some of you need it, ask me and I’ll give you

Pascal

  • The best is to secure /tmp (create a /tmp partition with noexec, nosuid)
  • Secure wget . chmod it to 700

Pascal what is the best way for secure tmp ?
How change wget to 700 ?

And http://www.r-fx.org/nsiv.php can write complete how too please? : )

I try make run tiem ago but have lot of troubles.

I apreciate more info.

Thanks

Hello

About /tmp it’s depending if /tmp is a partition or a directory. If it is a directory you have to change it as a partition

To change wget to 700 do, from root, via ssh :

which wget

it should return something like
/usr/bin/wget

then do
chmod 700 /the/path/of/wget (generaly /usr/bin/wget)

To change your directory tmp to a mountable partition there is few ways, but if you are not familiar with this, I do not think it’s a good option. Maybe ask to a sys admin.
You might have a look here http://www.eth0.us/tmp but BE CAREFFUL you DO THAT AT YOUR OWN RISK

Hope it helps

Pascal

To change wget to 700 do, from root, via ssh :

which wget

it should return something like
/usr/bin/wget

then do
chmod 700 /the/path/of/wget (generaly /usr/bin/wget)

I know on the NEXCESS.NET side of things that they chmod 750 a bunch of scripts (ftp, wget, lynx, links, curl) and setup a group for each binary (i.e. a wget, curl, lynx etc group) and then for each user who needs access to a given binary they are added to that group. They go as far as chmod’ing perl, php, python, ruby etc 750 as well. Given the massive amount of bots looking for holes it saves many a headache for the admin.

Chris

I know on the NEXCESS.NET side of things that they chmod 750 a bunch of scripts (ftp, wget, lynx, links, curl) and setup a group for each binary (i.e. a wget, curl, lynx etc group) and then for each user who needs access to a given binary they are added to that group. They go as far as chmod’ing perl, php, python, ruby etc 750 as well. Given the massive amount of bots looking for holes it saves many a headache for the admin.

You mean you add the user to that group ? right ?

Because on an interworx box we can’t change the group of files owned by a siteworx account. I think the quota use the group set on files and not the user.

I tell this because if we set the main group of user TOTO, for example to ALLOW or whatever, then all the files created for this user would take a default TOTO.ALLOW owner ? right ? and in this case the quota should not work.

If I understand well you mean you do something like

USERMOD -a -G ALLOW (where ALLOW is the group)

Is it right ?

Pascal

Yes, add user to group Pascal.

Chris

Well it is very simple

1 - Log into your server as root via SSH

Do this
wget http://www.r-fx.ca/downloads/nsiv-current.tar.gz

then
tar -xzf nsiv-current.tar.gz

then
cd nsiv-0.3

then
./install.sh

That it for the installation? Install.sh install everything automaticly (it also creates a cronjob in /etc/cron.d/)

You now just have to configure nsiv

do
vi /usr/local/nsiv/conf.nsiv

just add your email

And that’s all. QUITE EASY

For information rules are in /usr/local/nsiv/rules/
you can edit /usr/local/nsiv/rules/httpd for example

But the default rule should work

To test it just do nsiv -so

If you have pbm check that netstat -anpl returns
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 31757/httpd

and not
tcp 0 0 ::::80 ::::* LISTEN 31757/httpd

If it returns the ::::80 then you have to apply my hack above

Hope it helps

Pascal

You may also add a rule for iworx-web. If some of you need it, ask me and I’ll give you
Hi… can you please give me it ?.. thanks

Do you have an how-to for mod-security on CentOS4.4 (x64) and iworx 2.1.3 ?

Thank you in advance

Paulo

when runing nsiv -so, i get the output bellow … is this normal?
Thanks

NSIV version 0.3 <nsiv@r-fx.org>
Copyright © 2004, R-fx Networks <proj@r-fx.org>
Copyright © 2004, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
{chk.httpd} /usr/sbin/httpd inode verified on port 80

Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
{chk.httpd_ssl} /usr/sbin/httpd inode verified on port 443

{chk.named} bin value is null, skipping.
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ

error encountered in rule /usr/local/nsiv/rules/ocwhttpd
{chk.proftpd} flagged for skip or module does not apply to system, skipping.
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ

error encountered in rule /usr/local/nsiv/rules/sendmail
{chk.sshd} flagged for skip or module does not apply to system, skipping.
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ
Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ

Hi

Just set up the good rules :wink:

You doin’t need ocwhttpd for example

About the “Warning: bad syntax, perhaps a bogus ‘-’? See /usr/share/doc/procps-3.2.3/FAQ” it is because the script does a ps -axu for example rahter than a ps axu (without the - ) but it is safe and not block it, it’s just an information message !

Pascal

Hi Pascal,

Can you post the iworx-web rule ? Thanks

Sometimes i’m getting this warning:
[…]
Inode audit of /usr/sbin/httpd failed during routine checksum. The inode mismatch was as follows:

  • expected results:
    socket port : 443
    binary path : /usr/sbin/httpd
    binary inode: 11606338

  • returned results:
    binary path :
    binary inode: 11606315

The invalid inode in question (11606315) can be located using the command:
find / -inum 11606315
[…]

for ports 443 and 80 … is this normal ?

Thanks again

Regards