Category Archives: Security

Security related news

massive brute force against wp-login.php (wordpress)

So I get a ticket about high load on a server. Checking logs I see tons of:

POST /wp-login.php HTTP/1.0

and in logs:
– – [13/Aug/2013:13:35:07 -0400] “POST /wp-login.php HTTP/1.0”

Notice all http/1.0 – thanks for making it easy. Dropped with a .htaccess


RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^(HTTP/1.0)
RewriteCond %{REQUEST_URI} ^/wp-login.php$
RewriteRule .* - [R=406]

The easy way to remove javascript inserts (viruses) from php javascript (js) and html using sed.

Client site have lots of javascripts inserted into it? If there are comments between this, then you can remove them with sed in ssh/shell.

I generally see these ftp inserts through a client side password stealer. First, find out where it is coming from (kindly ask your user to use SCP / SFTP in the future as well).

Now on to the cleaning, and hopefully my own domain doesn’t get picked up as as unsafe by google.

Here is my example from previous work on the example issue:

Client got javascript virus, nice guy virus inserted comments like 4d9f97 for the virus. html, php and javascript are all different but in each 4d9f97 is commented between them. We can use sed and a regex to remove data between these:

example showing what exactly is happening:

cat index.htm | grep 4d9f97
                    </div><!--4d9f97--><script type="text/javascript" language="javascript">
VIRUS GOES HERE
<!--/4d9f97-->

PHP and javascript follow the same pattern, commented as well.

1) backup the file
cp index.htm index.htm.old

2) run script

 cat index.htm |  sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i index.htm

3) compare

diff index.htm index.htm.old 
165c165
<                   </div> 
---
>                   </div><!--4d9f97-->><script type="text/javascript" language="javascript" >                                                                                                                                                      VIRUS                                                                                                                                                      <!--/4d9f97-->

Coverts html comments and php/js comments, removing the text in between

Notes:
* Always backup first, I’ve only tested this a few times.
* Normal IFS does not handle files with spaces in them.
* change 4d9f97 to whatever your comments are.

Full example on an entire directory:

cd /home/username
tar -zcf public_html.tgz public_html
cd public_html
OIFS=$IFS 
IFS="
"
for i in `grep -lri 4d9f97 .`; do cat "$i" | sed ':a;N;$!ba;s/\(\/\*\|\#\|<!--\)4d9f97\(\*\/\|\#\|-->\).*\(\/\*\/\|\#\/\|<!--\/\)4d9f97\(\*\/\|\#\|-->\)/ /g' -i "$i"; done
IFS=$OIFS;

Credit to InterServer sysadmin Detain for the sed work.

CVE-2010-3856

A new glibc exploit has been disclosed under CVE-2010-3856. Unlike the last glibc exploit a few days ago you do not get direct root access, but you can create files/dirs in root owned paths. I expect an update from RedHat with in the next 24 – 48 hours.

I released a glibc update for the last glibc update in a testing repo. It looks like I will be keeping the testing repo for some time. Here is how to get the latest glibc update (a copy of my previous post)

Run /admin/updatefromtesting and there are glibc updates for CentOS 5.

You can get this by running

/admin/upscripts

If you do not have the admin scripts run

rsync -a rsync://mirror.trouble-free.net/admin /admin

Before use, you will need to run either

ln -s /admin/testing.repo /etc/yum.repos.d/testing.repo

or

cp /admin/testing.repo /etc/yum.repos.d/testing.repo

Then run

/admin/updatefromtesting

This repo is not enabled by default. So what is really happening is yum is being called as yum –enablerepo=tf-testing update

The testing repo will stay around for a bit longer. If you are a current InterServer customer please contact support.

I have tested this update on multiple i386 and x86_64 systems and have seemed it stable. However, using the testing repo is not an official update from RedHat or CentOS.

The repo, including srpm, is at http://mirror.trouble-free.net/tf/testing/5.5/

CVE-2010-3847

There is a new linux root exploit through glibc CVE-2010-3847. This exploit can be used to gain root access by a “local user”. Of course, being in the web hosting industry a local user can be an exploitable script, a customer, a php or cgi shell and on and on. Affected are RHEL and CentOS 5.

No glibc update has been released yet by RedHat.

I have released a new admin script and a testing repo on the InterServer yum repo. The admin script is /admin/updatefromtesting and there are glibc updates for CentOS 5.

You can get this by running

/admin/upscripts

If you do not have the admin scripts run

rsync -a rsync://mirror.trouble-free.net/admin /admin

Before use, you will need to run either

ln -s /admin/testing.repo /etc/yum.repos.d/testing.repo

or

cp /admin/testing.repo /etc/yum.repos.d/testing.repo

Then run

/admin/updatefromtesting

This repo is not enabled by default. So what is really happening is yum is being called as yum –enablerepo=tf-testing update

Future updates will not use this repo. In fact, I do not have plans on keeping the testing repo – we will see.

I expect the glibc update from redhat to apply over the testing repo. However this is glibc, so use at your own risks. If you are an InterServer customer contact support for help with this update.

I have tested the update on multiple servers and have build for i386 and x86_64.

The repo, including srpm, is at http://mirror.trouble-free.net/tf/testing/5.5/