You are here: Home / import

What permissions would you give a Russian hacker on your server?

November 26, 2007 By rjamestaylor

When explaining the implications of privileges given to the user that Apache (httpd) is set to handle web requests as (typically the system user apache, www, or nobody) web designers and even developers usually begin zoning out. These wonderful souls are in the business of making scripts work and content to be served quickly with a minimum of fuss. Moreover, these persons are motivated to make maintaining the sites under their control as easy as possible, more often than not by using a web application as a Content Manangement System. Thus, it is often expeditious for a person in this role (content provider, application developer) to give more privileges to the Apache user (defined in httpd.conf; hereafter referred to as “apache”) and not less. When a “permissions denied” or “file not found” error can be corrected with a quick relaxation of permissions, this person opts to let 'er rip. If “chmod 777 filename.html” is good, “chmod -R 777 *” is even better! No, it's not.

To drive home the importance of limiting the privileges given to apache, I have started using a new alias for this user: “The Russian Hacker:”

The user that httpd runs as (typically, apache, uid 48) is an alias for visitors accessing your server through the httpd process. I like to call this the “Russian Hacker user” to emphasize the fact that anyone with access to web content (via the HTTP/HTTPS protocols) on your server accesses your system with the privileges of this user. Since web servers are generally open to anyone on the Internet, I chose the “most unlikely visitor” you'd give access to your server to as the “user.” Whatever you would give a Russian Hacker permission to do on this server, allow the httpd user to do. Conversely, whatever you would NOT want a Russian Hacker to be able to do on your server, accordingly deny the httpd user that privilege. Giving apache write privileges or ownership privileges needs to be made with full awareness of this security risk.

This technique has proven quite successful at defeating the “glazed response” and has illicited urgent requests for security audits, guidelines, suggestions for best practices, etc., from those person in roles generally more concerned with functionality than security. Something about visualizing a Russian Hacker on the other side of Apache rather than one's self or one's frustrated client helps get us admins and develpers/designers on the same page.

I welcome your feedback on this technique. Corrections, too.

Shortly after writing the above post someone pointed me to an article/forum posting maintaining that I am full of baloney and explaining Why chmod 777 is NOT a security risk. To which I respond: FAIL.

I really cannot believe such a post is allowed to exist. But, then, I guess it does explain Joomla, Mamba, and a host of CMS scripts that live as if chown -R apache:apache $DOCUMENT_ROOT; chmod -R 0777 $DOCUMENT_ROOT is a proper use of the command line.

Filed Under: How-to, Linux, import, robotterror.com

The Catholic Church (Italy) is giving out donations!

August 31, 2007 By rjamestaylor

After centuries of receiving donation upon donation the Catholic Church (Italy) recently announced it will begin sending and not merely receiving donations! This glorious news was revealed to a lucky few (perhaps more than a few, though) via e-mail (that’s the Catholic Church for you — always embracing the newest trends, being early adopters of technological advances) which I include, in full (click the toggle to see the headers, minus my email info) for your amazement:

Rcpt

The Catholic Church Italy (http://www.chiesacattolica.it/), would like to notify you that you have been chosen by the board of trustees as one of the final recipients of a cash Grant/Donation for your own personal, educational, and business development. The Church is one of the biggest church built for God in Italy. In the year 1901, they started offering collection for the sole aim of human growth, educational and Community development. In conjunction with the ECOWAS, UNO, and the EU, We are giving out a yearly donation of US$650,000.00 each to 100 lucky recipients each year. These specific

Donations/Grants will be awarded to 100 lucky international recipients worldwide; in different categories for their personal business development.

The objective is to make a notable change in the standard of living of people all around the Universe (From America to Europe, Asia to Africa and all around). Kindly note that you will only be chosen to receive the donation once, which means that subsequent yearly donation will not get to you. Take time and thought in spending the donation wisely on something that will last you a long time.

Based on the random selection exercise of internet websites and millions of supermarket cash invoices worldwide, you were selected among the lucky recipients to receive the award sum of US$650,000.00 as charity donations/aid from the Catholic church Italy, ECOWAS, EU and the UNO in accordance with the enabling act of Parliament. (Note that all beneficiaries email addresses were selected randomly from over 100,000 Internet websites or a shop’s cash invoice around your area in which you might have purchased something from). You are required to contact the Church Executive Secretary below, for qualification documentation and processing of your claims. After contacting the secretary, you will be given your donation pin number, which you will use in collecting the funds. Please endeavour to quote your Qualification numbers +(N-2 2 2-6 6 4 7, E-9 1 0-5 6) in all discussions.

Exec Sec.Rev sister Abrielle Gallo

Email: chiesacattolicaitl@yahoo.it

Please note that the EU, ECOWAS, UNO, strictly administers these donations/Grants. You are by all means hereby advised to keep this whole information confidential until you have been able to collect your donation.

On behalf of God, The Church, ECOWAS, UNO and the EU, accept our warmest congratulations.

May God Bless you with this donation.

M. Paccino

 

Ok… this is by far the most interesting “Nigerian 419” (advance fee) scam I’ve ever received.

Some things that stand out:

  • The audacity to claim to represent the Catholic Church
  • The idiocy to mis-name the Catholic Church — yes, it’s in Italy, but it’s Roman, dammit!
  • The lunacy that the Catholic Church (of any kind) would donate its windfall … to anyone…
  • That the Sister in charge of the program uses a Yahoo!Italy e-mail address. When did God start preferring Yahoo! over Google?
  • The Catholic Church is making donations for business development. Oh, my! What a change of affairs for the Old Time Religion!
  • The Catholic Church is in league with the EU? Is the Harlot riding the Beast already?
  • The Catholic Church is coordinating with the UN? Perhaps Vatican City is vying for a seat at the Security Council?
  • The Catholic Church Italy is coordinating with … er … ECOWAS (Economic Community Of West African States — yeah, I had to look it up, not being a Nigerian, unlike the sender… oops.)?
  • The Catholic Church is data mining millions of supermarket cash invoices worldwide! Holy Father in Rome! How did they score these receipts? Did Mormon-founded Albertsons work out a deal with the Catholic Church for receipts?

Oy, vey! Inshallah! OMG! $FAITH_BASED_INVECTIVE!, indeed. The Catholic Church Italy in league with the EU, UN and some West African group to give money out based on grocery receipts. Ugh.

And yet… in a few months there will be a story of some poor victim of this scam that will try to make us feel sorry for the greedy idiots who fall prey to this drivel.

“On behalf of God, The Church, ECOWAS, UNO and the EU, accept our warmest congratulations.”

Yeah, yeah… as if that group of entities (and deity) would ever be seen in the same room together!

Filed Under: import, robotterror.com, scams

Aggressive Spam and Zombie blocking via spamhaus.org/drop and IPTables

July 9, 2007 By rjamestaylor

If there is no end to spam and automated attacks against a server and you do not (or cannot) invest in a high-quality firewall, this technique may offer a respite.

The idea is to pro-actively block all “well-known” malicious net-blocks (according to spamhaus.org’s definition, of course). The source for these net-blocks is the Spamhaus DROP list, which is described as:

 

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie'
netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of
the SBL designed for useby firewalls and routing equipment.

 

Spamhaus promises:

 

 The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned -
 even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled
 by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE,
 APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks
 that have been snatched away from their original owners (which in most cases are long dead corporations)
 and are now controlled by spammers or netblock thieves who resell the space to spammers.

 When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from
 spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

 

I combine this list with Portsentry (customizing /etc/cron.hourly/portflush and the killroute BASH script) to release and renew these blocks each hour. This is not really necessary, but it’s my way. As an added benefit, however, using Portsentry to block routes will make those routes subject to the portsentry.ignore routes you have configured, which will likely prevent you from blocking yourself or close associates if the DROP list somehow includes your netblock one day!

Here’s the one-liner to grab the DROP list and run it through killroute:

 

 curl -s http://www.spamhaus.org/drop/drop.lasso |grep ^[1-9]|cut -f 1 -d ' ' | \
 xargs -iX -n 1 killroute  X "source: spamhaus.org/drop"

 

This can also be run as “xargs -iX -n 1 iptables -A INPUT -s X -i eth0 -j DROP“, instead.

In /etc/cron.hourly/portflush I add the above one-liner before the “exit” statement so that the now-flushed iptables entries are replaced with the (possibly) updated list of net blocks from the DROP list.

A minor edit to portsentry’s killroute (vi `which killroute`) allows a custom “source” comment. Here’s my edited killroute:

 

 #!/bin/sh

 source /etc/sysconfig/portsentry

 # Make sure we have a target
 if [ "x$1" = "x" ]
 then
        echo "$(basename $0):  Error no target specified."
        exit 1
 #else
        #echo "Arg 1: $1"
 fi

 if [ "y$2" = "y" ]
 then
        PREFIX="portsentry attack alert"
 else
        PREFIX="$2"
        #echo "Arg 2: $2"
 fi

 # Figure out which firewall tool to run... backwards compat blows chunks.
 case "$(basename $IPTOOL)" in
        ipchains)
                ipchains -I $PORTSENTRY_CHAIN -s $1 -j DENY -l
                ;;
        iptables)
                iptables -I $PORTSENTRY_CHAIN -s $1 -j LOG --log-prefix "$PREFIX"
                iptables -I $PORTSENTRY_CHAIN -s $1 -j DROP
        ;;
        *)
                echo "Unrecognized option.... no action taken against $1"
                exit 1
        ;;
 esac

 exit 0

 

I also use this technique in conjunction with Mitigating brute-force password attacks with pam_abl to help protect against brute-force password attacks. Fun, fun, fun.

Filed Under: How-to, Linux, Web, import, robotterror.com

How now failed Wow?

July 8, 2007 By rjamestaylor

CompUSA July 4 AD I usually ignore spam. Especially spam from computer retailers like CompUSA. However, last week I received an advertisement from CompUSA that proved beyond a shadow of a doubt that Windows Vista sucks.

It is, what, more than 6 months from Vista’s consumer release and a year (sorry, I don’t follow Windows product announcements since 2001) since the corporate release? Anyway, this operating system has been publicly available for quite some time. In short, it’s way past the Now from whence the Wow commenced.

With that background, CompUSA’s leading promotion in last week’s ad is very telling:

CompUSA July 4 AD

Hmmm… a marketing campaign to let people know CompUSA has an OS from 2001 available NOW! Is that really the most exciting thing available in the once-venerated PC world? No wonder Dell is trying to create a buzz around Ubuntu.

Also, no wonder Microsoft is stretching credulity with bending the GPL to its own ends with its patent deals with Novell (distributor of SuSE and Mono), Linspire and Xandros. Microsoft is out of ideas and the public knows it.

Filed Under: Tech, import, robotterror.com

Is your site HACKER SAFE?

July 7, 2007 By rjamestaylor

Ran across a web server the other day that had an active exploit running that allowed unrestricted remote shell access. The exploited vulnerability was in the Horde suite (PHP) of web applications. The Horde team had disclosed the vulnerability and had patched it more than a year ago. However, the exploit had been executed toward the end of May of this year (2007).

I’m being vague as to the web server details because I want to protect the identity of the webserver operators. I believe they thought, based on the claims of the Hacker Safe service they subscribed to, that they were doing everything in their power to prevent hackers from authorized access to their server.

When I was administering the server for unrelated reasons I found the exploit running bound to port 80 and owned by the user apache. Thus it was not, yet, a root-level exploit. Nevertheless, seeing a process name “bash” running from /dev/shm is not a heartwarming event. Once I tracked down the vector of compromise (Horde) and verified that it was closed off, I swept the computer for other compromises in play.

One of my searches (for the Turkish Hacker PHP include injection) revealed that the compromised web server subscribed to the HACKER SAFE service by Scan Alert. In fact, Scan Alert was, at the time of my discovery of the compromise, declaring that the server was meeting the highest level of published government standards for security.

Time to revise those published standards, eh, folks?

Or, perhaps, HACKER SAFE is more about a marketing tool than anything about a proactive prevention of compromises and exploited vulnerabilities.

What is the purpose of HACKER SAFE? Is it to reduce instances of compromise or is it to increase sales? Reading the Scan Alert site makes it clear there is a marketing component to their service, which is natural. However, under the menu “Security” the bottom-line service is a test to measure conversion rate increase while using the HACKER SAFE mark:

Placing the HACKER SAFE certification mark on your web site has
been proven to increase visitor-to-sales conversion rates. Our
technology allows customers without in-house data mining tools
to scientifically measure the effects HACKER SAFE certification
has on their business by conducting a sales analysis.
ScanAlert’s sales analysis technology uses an A/B test
methodology in which half of the site’s visitors see a HACKER
SAFE certification mark while the other half (the control group)
do not. Our sales analysis service includes installation support
and real-time graphical reporting.

Hopefully the web server operators with the year-old unpatched vulnerability and the month-and-a-half old active exploit increased their conversion rate with the HACKER SAFE server — they surely didn’t get any security benefit from their subscription. I wonder how the customers would feel knowing that the HACKER SAFE logo meant, basically, nothing more than a marketing ploy.

Filed Under: General, Tech, import, robotterror.com
Newer Posts »

Bad Behavior has blocked 185 access attempts in the last 7 days.