I'm trying to compile a list of programs that have been known to cause security problems, server resource hogging problems or suspicious spammer activity. etc.

I just found out that older versions of vBulletin has a security leak that allowed a cracker to gain root access to one of my servers. We've since patched it and scanned for all the old copies of vBulletin - but I'd like to know what else to look out for.

So far, I have vBulletin, phpNUKE and a couple of other message boards. I read here, a few weeks ago, about certain spamming software - but I can't find that post now. What else should we look for??


--Tina

Tina -- are you talking about obvious stuff like eggdrops? Or are you more interested in common programs with known security holes?

I'm interested in anything that has the potential to bring down a server. Like known security risks, known resourece hogs, known spammer tools, etc.

--Tina

i think you are looking at it all the wrong way. I mean there's ways to code a cgi script to bring down a server. I think its more securing your server and taking the steps to stop bad scripts from hogging all your resources instead of doing it your way. Hell.. i can code a simple cgi script to fork processes in a while loop to bring down a server.

You're not understanding what I mean.

We already have measures in place that monitor the servers for problems...like an account that suddenly starts using too much resources, etc.

I'm looking at preventing problems BEFORE they occur. If someone has an older version of formmail.pl sitting on the server...I want to know about it. I don't want to wait until my pager goes off, because some spammer has tried to send 5,000,000 emails out, before I tell them to upgrade.

I'm creating a script that will scan through all my servers, once a day, and look for known problematic programs.

--Tina

Likewise Tina,

Could do with a program that actually picks up on any rogue cgi scripts on the server, such as a loop script above.

Originally posted by zupanm
Hell.. i can code a simple cgi script to fork processes in a while loop to bring down a server.

Not if the server is set up properly. `man 5 login.conf | grep maxproc`.

Ban all BNCs. A user on one of our server setup a BNC (irc), and within days it was DOSsed. Was doing 50/mbs a sec..

Wasn't a good sight..

This a list of some banned scripts
UBB (all versions)
Ikonboard (Non Mysql version)
YaBB (Perl/CGI Version)
Any IRC related softare
Proxy Servers
nph-proxy
The Anonymizer

I agree IRC bots and bncs usually invite more attacker :angry: . To prevent them from functioning properly block outgoing connection to port 6000-7000 (that catches 99% of IRC ports) and kill long running processes owned by user (but you might not do this if your policy allows user daemon process).

I agree with the list posted above, we ban all of those as well on our shared servers. As for form mail problems, we handle this by providing a basic script library for accounts that have cgi access and we make sure that the scripts in there are current and patched , this is not to say they wont go out and install something else but more than likely the commonly used scripts that we provide to them will normally be the ones they use.

Originally posted by Jedito
This a list of some banned scripts
UBB (all versions)
Ikonboard (Non Mysql version)
YaBB (Perl/CGI Version)
Any IRC related softare
Proxy Servers
nph-proxy
The Anonymizer


What programs should I look for? Filenames, etc?

--Tina

Originally posted by priyadi
I agree IRC bots and bncs usually invite more attacker :angry: . To prevent them from functioning properly block outgoing connection to port 6000-7000 (that catches 99% of IRC ports) and kill long running processes owned by user (but you might not do this if your policy allows user daemon process).


Thanks. I'm not really talking about server security issues. Those are all under control.

What I'm looking for is SPECIFIC software that could pose problems. Such as, formmail.pl, etc.

--Tina

Originally posted by DigitalXWeb
I agree with the list posted above, we ban all of those as well on our shared servers. As for form mail problems, we handle this by providing a basic script library for accounts that have cgi access and we make sure that the scripts in there are current and patched , this is not to say they wont go out and install something else but more than likely the commonly used scripts that we provide to them will normally be the ones they use.


Yeah, we do too. Like you said though - users still install their own formmail. We're going to start scanning the servers for those (spam risk), yabb (resource risk), older versions of vBulletin (security risk), etc.

BTW - What is that software, mentioned here a couple of weeks ago, that spammers are using to send massive amounts of email out with? Someone had a link to the website - where they even talk about buying a cheap hosting account...because then you aren't out very much money when they cancel you.

--Tina

An unusual one, but I'll list it anyone - RogerWilco! (It's gaming comms software - http://www.rogerwilco.com)

A client installed in on a server (without asking) and it didn't go down too well at all - server loads rose from ~.25 - ~2.00. Needless to say we removed it very quickly, and informed the client... :)

YaBB.cgi
ikonboard.cgi
ultimatebb.cgi
nph-proxy.cgi
http://www.proxys4all.com/tools.shtml (there you'll find some proxys script)
There are a lot of IRC bot and eggdrops, I can't give you a really list because they often changes the names to the files.

Originally posted by Jedito
YaBB.cgi
ikonboard.cgi
ultimatebb.cgi
nph-proxy.cgi
http://www.proxys4all.com/tools.shtml (there you'll find some proxys script)
There are a lot of IRC bot and eggdrops, I can't give you a really list because they often changes the names to the files.


Add to that:
lstmrge.cgi




^^Thats the big spam one...

Yeah,
lstmrge.cgi is the program of choice for spammers.

Actually, 100% of the spammers we got were using this script!

Also, IRC related:
eggdrop (that's a prog. name as well!)
mutt -> IRC bouncer, you're almost guaranteed to be DOS'd with this one.

-Chris.

Also:
UBB5:: Ultimate.cgi
UBB6:: ultimatebb.cgi

Originally posted by cyansmoker
mutt -> IRC bouncer, you're almost guaranteed to be DOS'd with this one.

mutt is also a MUA (and a rather good one at that), so please don't ban *anything* with that name.

Affordablehost, I applaud you in your proactive approach for security. However, I think you fighting a losing battle. Exploits for common webbased software is released on a daily basis. I would imagine it would be impossible to constantly keep updated. Subscribe to the bugtraq and vulndev mailing lists at securityfocus.com and take a look at how often exploits are released. Keeping lists of exploitable software seems a daunting task to say the least.

What I would recommend:

Block all incoming ports except 80, 443 and possible 22, and 21. Require customers to fill out a request form to have ports opened. Keep track of the software they're using and regularly check for new exploits.

If possible and reasonable for your business, restrict shell access. This way your somewhat limited to the software they can install.

Subscribe to popular security mailing lists and keep an eye out for new exploits which will allow root access. If an exploits released, search the box and force users to upgrade.

Run an IDS and keep the signatures updated.

Good luck :-)

Originally posted by jstout
Affordablehost, I applaud you in your proactive approach for security.

We are well aware of server security issues and take every precaution there. That is not what I am talking about at all.

I am asking SPECIFICALLY about software that users install...either knowingly or unknowingly that have been known to cause server problems. Example: older versions of formmail.pl, YABB, etc.

I'm not asking about how to secure up a server. We have that covered. :D

--Tina

Posted by a couple people now
...cgi scripts... allowing a cracker to gain root access to a server.

Um?

WTF?

A cgi script might be insecure, but it should never allow someone to gain *root* access to a server. Unless your server is really, really, utterly *horribly* misconfigured.

Ok heres an idea, what about making a freely available script which all hosts can use. We could have a central database system so hosts can add to the list of files that might cause problems and the server could download an updated version of the list every day. I would be happy to do some, if not all of the programming for this.

Originally posted by SplashHost.com
Ok heres an idea, what about making a freely available script which all hosts can use. We could have a central database system so hosts can add to the list of files that might cause problems and the server could download an updated version of the list every day. I would be happy to do some, if not all of the programming for this.


YES! That would be an excellent idea! I would like to see the software name, file to look out for and reason why a host has banned it (server, security, spammer, etc.).

I would be willing to donate something - space, domain, etc.

--Tina

Originally posted by cperciva


Um?

WTF?

A cgi script might be insecure, but it should never allow someone to gain *root* access to a server. Unless your server is really, really, utterly *horribly* misconfigured.

Yeah, I guess admin privileges to the forum software is what is meant here.

But would that be possible in the case of an exploitable Apache buffer overflow somewhere?

Once i get the problems ive been having with my servers lately sorted out ill be happy to do the programming required for this. How ever we would need someone to manage the database, putting a danger level and categorising the files etc.

This is exactly what I was talking about in my first post, perhaps I did not clarify that, unfortunately we are not able to share the code that does this, as it is copyrighted by a private third party coder (which I have already contacted and pointed him to this thread if he cares to comment or offer the same script).:(
I can tell you how it works though.

Basically it uses MySQL on the backend and PHP on the front. The Provider enters into the DB what scripts / services to check for and the updates to go along with them, this is all done through it's own control panel. It then checks for the scripts / services that were entered on each and every hosted site on the server, if a match comes back it automatically grabs the upgraded or patched version and puts it into the sites cgi-bin or service dir. and sends out an email to both the Provider and the Site Admin that an update has been released for that particular script or service and the new updated package is waiting for them in their cgi-bin or service dir. This is done automatically anytime a new entry is added to the DB.

This has proved to be quite handy and useful because patches and upgrades are handed out (per say) in minutes.

We are also currently working on an upgraded version of this that will keep track of the matches and check every 24hrs to see if the patch was installed yet or not and if it reaches 48hrs will do it automatically for them or give them an option where they could have this turned on by default without the waiting period.

If anyone would be able to duplicate these features and possibly more and keep it open source that would be great!! Well except for me since I already paid for the original one we use, but hey that's the cost of doing business :D

DigitalXWeb,

This is interesting, but it still requires a lot of management.

Originally posted by cperciva


mutt is also a MUA (and a rather good one at that), so please don't ban *anything* with that name.

Man, what was I thinking??

MUH : Irc bouncer, bad.

Mutt : Mail client, good.

Thanks, Cperciva.

Originally posted by Ahmad
DigitalXWeb,

This is interesting, but it still requires a lot of management.

This is true, and we have been looking into automating the original retrieval of security patches / upgrades so they do not have to physically be searched for. But even though this may require a lot of management, it is surely less than trying to repair the damage done by a spammer / hacker, both internal and external wise :)

I wonder if my theory would work on security and resource abuse issues...

Well here goes:

Most exploits are done with shell access so in order to have a ssh account, user must submit a photocopy of a ID with an address that matches his billing info. Otherwise users can request for temporary access as in having some else in root to monitor what the user is really doing.

For spam scripts:

Why not just have your admin write a script where it scans the server for known spam software and delete it if found automatically? Set a Cron for such script to scan every 24 hours?

For resource hog programs, i remember that a few months back i ran to a site where it claims that there is this program that manages cpu load automatically but I didn't really look at it because it was only in beta (now i cant remember the site url OMG). It claims where you can set the max load per process or such process will be killed immediately.

Making a script just to search for known spam items is a good idea but what stops them from just renaming the files to something else.

That problem is not something we can do anything about, but by knowing the symptoms of the problem we can identify what script/program is causing the problem. Even though we may not know what it is called now we will know how the script works and how to stop it.

Of course this all depends on the quality of the data entry ;)