Why do hosting companies leave open holes like this?

[root@sandton root]# telnet <edit> 22
Trying <edit>...
Connected to <edit>
Escape character is '^]'.
SSH-1.99-OpenSSH_3.1p1

Protocol mismatch.
Connection closed by foreign host.
Cogentco.com also runs 3.0 (openssh)

I Just dont understand why so many hosting companies are so slow on fixing their security. I mean..

If i was looking for shared hosting, I for one would not want to be hosted with a company that is running old daemons that have vulnerabilities in them, ya know?

Am I the only one who feels this way, i mean really......

hahah...

Damn... I always spend the first 3 days we have a server on updating...

There really is no excuse not to upgrade your servers anymore.. Hell even RPMs are available for upgrade if you need it....

I even spent the time to update an RaQ2, everything on it :D

I mean, what are these companies going to do when someone comes along and compromises their servers??

I think it's sad.

[root@sandton root]# telnet <edit> 22
Trying <edit>...
Connected to <edit>.
Escape character is '^]'.
SSH-1.5-OpenSSH_3.1p1

[root@sandton root]# telnet <edit> 22
Trying <edit>...
Connected to <edit>.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p2

[root@sandton root]# telnet <edit> 22
Trying <edit>...
Connected to <edit>.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p2

Protocol mismatch.

[root@sandton root]# telnet <edit> 22
Trying <edit> ...
Connected to <edit>.
Escape character is '^]'.
SSH-1.99-OpenSSH_2.9p2

And the list goes on and on, i wont try to embarrass too many companies

I just think that if a company can't keep up to date with security, they shouldn't jeopardize other people's data.

I certainly would only choose hosts that keep good security.

Openssh2.9p2 comes prepackaged with RedHat 7.2. Expecting people to know how to compile new versions of Opensshd is simply too demanding...

Originally posted by toro
Openssh2.9p2 comes prepackaged with RedHat 7.2. Expecting people to know how to compile new versions of Opensshd is simply too demanding...

Yeah, i know what you mean. Especially those people who just got online last week and are already web hosts. I can understand how they wouldn't know a DAMN thing about security.

Everybody is a web host now a days :)

What worries me even more is those HUGE web hosting companies like mchost

it would be a shame if someone were to compromise their systems and erase all data including back ups.

I hope this thread will convince some people to start upgrading. I mean come on guys. You guys were suppose to upgrade weeks ago. What's going on? Really

just my 0.02

Hahahahha.. So....

They are running RedHat.... And prolly a panel, and they can't install 3 freaking rpms?????

Now that worries me :D

hacker PM

Originally posted by toro
Openssh2.9p2 comes prepackaged with RedHat 7.2. Expecting people to know how to compile new versions of Opensshd is simply too demanding...

i hope you are being sarcastic.

i really do.....

Originally posted by bacid


i hope you are being sarcastic.

i really do.....

Sarcasm? Of course not. He's telling the truth :)

Besides, what do you konw? You're just a junior guru wannabe!!

lol just kidding

Err... why does OpenSSH 2.9 need to be updated?

The recently announced issue only dealt with versions 2.99 - 3.3.

(Thanks Theo!)

You can't necessarily tell by the version number alone. Granted upgrading is better, but the security hole is easily plugged with a couple edits to sshd_config or by re-compiling the current version with the available code patches.

There are a total of three security holes variously affecting versions 2.3.1 through 3.3.

As long as PAMAuthenticationViaKbdInt isn't enabled in the config file, 3.1p1 shouldn't be vulnerable. Not that I'm against upgrading. As long as cpanel doesn't decide to like kick it back to the old version the next day...lol

<edit> that's on a redhat 7.2</edit>

And thats why you don't let Cpanel auto update :D

Originally posted by alchiba
There are a total of three security holes variously affecting versions 2.3.1 through 3.3.

Yes, but some of those were already patched. The openssh 2.9p2 which FreeBSD uses is uneffected by these problems (which is why people were so annoyed with Theo for advising them to move to 3.3 -- which *was* effected).

Originally posted by The Prohacker
And thats why you don't let Cpanel auto update :D

I'd had my first server about 10 minutes before I disabled that...:D

Of course, I trust it about as much as I trust Real Player...

I believe if you go here http://rhn.redhat.com/errata/RHSA-2002-127.html you will see that 3.1p1 is the correct version that is recomended by Red Hat and they have updated the RPM files to include the security patches for the explot, but the version number when checking thru shell still shows the same. I know I updated last week and I just checked and it still shows the same.

Originally posted by Monte
I believe if you go here http://rhn.redhat.com/errata/RHSA-2002-127.html you will see that 3.1p1 is the correct version that is recomended by Red Hat and they have updated the RPM files to include the security patches for the explot, but the version number when checking thru shell still shows the same. I know I updated last week and I just checked and it still shows the same.

Thank you...makes me feel better. I was sure I installed an upgrade before. I thought I was going nuts there for a minute. Ok, Nick...you're off the hook...:p

Just for the hell of it, I changed one of my servers to say 3.1p1 when its really 3.4....

Lets see who tries :D

Originally posted by The Prohacker
Just for the hell of it, I changed one of my servers to say 3.1p1 when its really 3.4....

Lets see who tries :D

LOL Gobbles is comin for ya...

Originally posted by clocker1996
What worries me even more is those HUGE web hosting companies like mchost

...

I hope this thread will convince some people to start upgrading. I mean come on guys. You guys were suppose to upgrade weeks ago. What's going on? Really

We upgraded all servers about 2 weeks ago, you should definately do that. There are lots of people just scanning random IP ranges to find exploits.

Originally posted by The Prohacker
Just for the hell of it, I changed one of my servers to say 3.1p1 when its really 3.4....

Lets see who tries :D

Tell me, out of your comments, how security concious do you deem yourself to be in regards to all things being Internet related? That's to say, how you handle your data, accounts, web space, web forum memberships and the like? Do you suppose you have a pretty solid idea? I'm simply curious is all.

Originally posted by Tim_Greer


Tell me, out of your comments, how security concious do you deem yourself to be in regards to all things being Internet related? That's to say, how you handle your data, accounts, web space, web forum memberships and the like? Do you suppose you have a pretty solid idea? I'm simply curious is all.


I don't do it professionally... I try to keep my boxes as secure as possible, but I'm not anal retentive, like keep the hard drives encrypted, only allow certain IPs to ssh....

One most servers, we do things like change ssh ports, require that an ssh key for loging in as root.... Stuff like that..

My forum accounts are pretty lax, I use alot of the same passwords, but not always... forum memberships aren't a top priority to me...

For data, I have an encrypted partition on my hdd, for keeping secure stuff like names, phone numbers, stuff I don't want giving out about other people, just incase... I'm really not that careful with my home computer... I still run Win2k Pro sp1, but no IIS :D

I used to be really on top of all the latest holes that come out and everything.. But I'm a little more laid back now... I don't patch the hour a hole comes out, but I don't wait a week :D

And when it comes to my programming, I try to be security conscious, but, I really don't abid by all the good secure ways to do things... To a point I do...

But in the past years, I've learned life is to damn short to always worry about who can attack you :D


An example, I didn't know RH was releasing a patched 3.1p1....Learn something new all the time..

Most of these companies simply do not have time, nor trained staff to keep up with this.

If you want decent security, you're going to need to hire full time staff for it.

Not to mention set restrictions (lots of them) on customers, and will they like that? No.

How many of you allow shell access? Might want to look into local security too, much easier to have a system cracked internally.

Oh.. and do you keep track of customers passwords or who they give them to?

Blah, blah, blah.

Originally posted by clockwork
Most of these companies simply do not have time, nor trained staff to keep up with this.

If you want decent security, you're going to need to hire full time staff for it.

And do you think thats a good excuse?? Think customers will like it when they loose data??

Not to mention set restrictions (lots of them) on customers, and will they like that? No.

What would you think they'd hate most, restrictions or loosing their site?????

How many of you allow shell access? Might want to look into local security too, much easier to have a system cracked internally.

Oh.. and do you keep track of customers passwords or who they give them to?

Blah, blah, blah.

Shell isn't a big security hole, if you have a semi-secure mind set, you'd know to update things... Hell most local attacks don't come from shell, but from apache since it runs as nobody....

It's not an excuse, it's real life. (Welcome to it!)

Customers hate restrictions.
How many of you here don't offer normal FTP access, raise your hand. (As opposed to scp/sftp)

Ok, I was with you until your last comment about most attacks coming from apache... uhhh?

Elaborate on that for me..

If you don't think your customers are a threat, think again.


Anyone want to set me up with a server in their data center and show you what can be done?

Don't think it doesn't happen either.

Yeeehaaa... I don't know how to insall windoz yet but I host websites! I know lots about security. I lock my servers up in my closet real good.

Hehe good luck breaking into my SSH-1.99-OpenSSH_2.9p2. I run only telnet. And it's the 1993 version so there are no new hacks against it since nobody has it any mo'.

Originally posted by clockwork
It's not an excuse, it's real life. (Welcome to it!)

Customers hate restrictions.
How many of you here don't offer normal FTP access, raise your hand. (As opposed to scp/sftp)

Ok, I was with you until your last comment about most attacks coming from apache... uhhh?

Elaborate on that for me..


Hate to tell you, I do live in real life...

Customers really don't mind restrictions, as long as you explain it to them, 98% are more than understand the other two usually just need a little bit of guidence...

On my apache comment, most people will upload a script and call it from the web, so it runs as nobody... Most attacks are major system compromises, they are deleting another user's files because they have the files CHMOD'd 777, or something along those lines...

Running the attacking script via Apache would make it a little harder to track the person down, if they did it via shell it would be simple....




Originally posted by clockwork
If you don't think your customers are a threat, think again.


Anyone want to set me up with a server in their data center and show you what can be done?

Don't think it doesn't happen either.


Of course they are threats, I never said they weren't....

I think you seriously need to check your attitude...

Many "hosting companies" here barely know how to use the control panel and don't really know how things work, and then they sell reseller accounts and even more "hosting companies" form that know even less about how things work. Some hosting companies have their own Linux servers and don't even know how to copy a file in Linux, much less upgrade software.

As for SSH-1.99-OpenSSH_3.1p1, it's possible they've turned off ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt like I have or have it patched, but then again...who knows.

Originally posted by ToastyX
Many "hosting companies" here barely know how to use the control panel and don't really know how things work, and then they sell reseller accounts and even more "hosting companies" form that know even less about how things work. Some hosting companies have their own Linux servers and don't even know how to copy a file in Linux, much less upgrade software.

As for SSH-1.99-OpenSSH_3.1p1, it's possible they've turned off ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt like I have or have it patched, but then again...who knows.

its the sad truth

I think you guys may read too deeply into what you see. Just because someone is running versions of software that have vulnerabilities, it does not mean they are vulnerable. Not in the least.SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202That's me, I'm secure.

I find it ironic that you are attacking hosts for being potentially insecure, when you really don't even understand the vulnerability points. That's scarey.

Sorry to be so blunt.

Originally posted by DizixCom
I find it ironic that you are attacking hosts for being potentially insecure, when you really don't even understand the vulnerability points. That's scarey.

Sorry to be so blunt.

Amen.

Don't apologize.

I don't know if you really care about it, but just to let you know I upgraded SSH on that box a long time ago, for some reason still show the old version, to be honest, I don't know why.
Indeed, just to be sure, I did it again to 3.4p1, but still show 3.1p1.

And I will really apreciate if you remove downtownhost.com from your first post, it make us look bad, when you don't really know about it.

Originally posted by clocker1996


And the list goes on and on, i wont try to embarrass too many companies



Yes, you tried, if you wanted to be helpfull you could contact any of the host listed to let them know about "what you think that's a problem".

This thread title reminds me of Linkin Park, :D

I don't think there's anything wrong with my attitude.

I've been working in web hosting for almost 4 years now (system administration).

I've tried to impliment security policies, but it seems no one cares.

I have gotten people to use SUExec to get around the Apache security issues. Oh, it wasn't easy either.

You tell people it's good for security, but the bottom line is they need to make changes and they will encounter problems migrating from the "normal" way. They don't like that.

As for most attacks, as far as I have seen... typical servers that get "owned" don't suffer data loss, they are simply used for tools such as cracking other servers or tying them into a ring of DDoS boxes.

If you see a box get data wiped from it, you might want to start looking into who has a grudge with you or your users. Sure, there could be some random, malicious person who rm -rf /* a box, but I have come to know that is far and few between... usually some script kiddie who thinks someone is on to him and has no idea how to clean log files.

I've been following security for over 6 years.
I remember when bugtraq used to be good.

My attitude isn't meant to insult you, it's just one of little hope when looking at the security of 95% (random figure) of hosting companies.

Also... I see no one replaced FTP with scp/sftp (obviously not everyone here read the thread, but no one so far).

Think of who your clients are/will be - Windows users who have CuteFTP, Frontpage (maybe DreamWeaver if you are lucky), etc.

Unless you plan to blow them all off, good luck!

Oh really? you don't see anything wrong with your attitude?
You exposed to a possible security hole in a public forum with more than 15.000 members at more than 5 host, because you wanted to play to "hey, I read securityfocus.com, I'm really smart, and those host do not upgrade their deamons, they are insecure, hehehe".
Again, I'll apreciate if you remove downtownhost.com from your misinforming message, and I suggest to read more before to post a message like this, it really make you look as a fool.

BTW, what part of
"I don't know if you really care about it, but just to let you know I upgraded SSH on that box a long time ago, for some reason still show the old version, to be honest, I don't know why.
Indeed, just to be sure, I did it again to 3.4p1, but still show 3.1p1. "
You didn't understood?

Originally posted by clockwork
I don't think there's anything wrong with my attitude.

I've been working in web hosting for almost 4 years now (system administration).


Keeping programs up-to-date does not make one a system administration expert.


I've tried to impliment security policies, but it seems no one cares.


What policies, to whom, and what do you mean?


I have gotten people to use SUExec to get around the Apache security issues. Oh, it wasn't easy either.


What Apache security issue and SuEXEC and what wasn't easy?


You tell people it's good for security, but the bottom line is they need to make changes and they will encounter problems migrating from the "normal" way. They don't like that.


What's good for security and what changes and what problems are you talking about?


As for most attacks, as far as I have seen... typical servers that get "owned" don't suffer data loss, they are simply used for tools such as cracking other servers or tying them into a ring of DDoS boxes.


Usually, yes. it's true that most servers are compromised due to not being up to date with all the things that are commonly needing to be up to date, but that's not all there is to it, but if it is true that someone was running vulnerable versions that it's not a good sign. Just be sure that you know they are truly vulnerable, and don't post that to a public board, perhaps.


If you see a box get data wiped from it, you might want to start looking into who has a grudge with you or your users. Sure, there could be some random, malicious person who rm -rf /* a box, but I have come to know that is far and few between... usually some script kiddie who thinks someone is on to him and has no idea how to clean log files.


Perhaps.


I've been following security for over 6 years.
I remember when bugtraq used to be good.


Keeping programs up-to-date does not make one a system administration (or security) expert.


My attitude isn't meant to insult you, it's just one of little hope when looking at the security of 95% (random figure) of hosting companies.

I think he was talking about posting publicly saying he was incompetent basically, and was vulnerable. Wrong and he looks incompetent. Right and you just told 15,000 members and a few thousand random non-members viewing the forum that he's an open target.

Originally posted by Tim_Greer

I think he was talking about posting publicly saying he was incompetent basically, and was vulnerable. Wrong and he looks incompetent. Right and you just told 15,000 members and a few thousand random non-members viewing the forum that he's an open target.

I'm not limiting my critic to that.
He didn't saw how do I have configured sshd_config, if I have it patched or not, he don't have a clue of how that box has been configurated.
He was just misinforming with inacurated information about a box that he never used, and even if it were true that the box its vulnerable, he show a lack of common sense in post a message like that in a public forum with 15000+ members.
I expect an apologies from clocker, and downtownhost.com removed from this thread.

Originally posted by Jedito
Oh really? you don't see anything wrong with your attitude?
You exposed to a possible security hole in a public forum with more than 15.000 members at more than 5 host, because you wanted to play to "hey, I read securityfocus.com, I'm really smart, and those host do not upgrade their deamons, they are insecure, hehehe".
Again, I'll apreciate if you remove downtownhost.com from your misinforming message, and I suggest to read more before to post a message like this, it really make you look as a fool.

When did I say any of that?

When did I post about any company being insecure?

That is, if you are referring to me, which it seems you are due to the "attitude" portion of your message.

I think everyone's getting confused over usernames here.

clocker1996 was the one who started the thread, not Clockwork.

:)

Originally posted by lightnin
I think everyone's getting confused over usernames here.

clocker1996 was the one who started the thread, not Clockwork.

:)

That explains some, thanks.

Originally posted by Tim_Greer


Keeping programs up-to-date does not make one a system administration expert.

I agree, but I have a feeling you are saying I consider myself an expert, which I do not consider myself. I am wary of anyone who refers to themselves as an expert in fact.
Keeping programs up to date is just common sense, even on your home computers.



What policies, to whom, and what do you mean?


I won't say with whom, but i've tried getting packet filtering (not ipfw/iptables, an external box such as checkpoint fw1), network instrusion detection (tied into firewalling), host-based IDS, getting rid of services that have security issues more often than i'd like (replacing them with alternatives).
And setting up rules for giving out information.
Have people follow a set number of rules when changing software (make sure it doesn't have holes).
And so on.


What Apache security issue and SuEXEC and what wasn't easy?


The upgrade itself was fine, it was the backlash from clients I witnessed. Even though most of the files with world write/execute perms were changed shortly after the "upgrade" people just kept doing things the same old way and complaining it did not work (The README told me to chmod 777!, etc).



What's good for security and what changes and what problems are you talking about?


Making changes for the better of security.
Changes would be moving away from how the other hosting companies do things, the vast majority.
I was with company A, and this is how they had things setup.. and company B i was with did the same thing, but you, company C, want me to do it this way? It just doesn't make sense to them since they can't (most of them) comprehend that the changes of a benefit.
Do you follow at all?

Just take replacing FTP with scp. I'm sure a company only offering scp as a way to upload data isn't going to get many customers.


Keeping programs up-to-date does not make one a system administration (or security) expert.


I agree too, but again, I have this feeling you think i'm claiming i'm a security expert. I am not. It's just common sense as I said above.


I think he was talking about posting publicly saying he was incompetent basically, and was vulnerable. Wrong and he looks incompetent. Right and you just told 15,000 members and a few thousand random non-members viewing the forum that he's an open target.


Please elaborate on that, I have no idea what this means.

Thanks Tim.

Why do I have a feeling you guys are confusing me with clocker1996 ?

Originally posted by clockwork
Why do I have a feeling you guys are confusing me with clocker1996 ?

I did, sorry. I was wondering how he suddenly was doing system administration for 4 years and watching security lists for 6. My mistake.

lol Tim :stickout

Originally posted by Tim_Greer


I did, sorry. I was wondering how he suddenly was doing system administration for 4 years and watching security lists for 6. My mistake.


*bookmarks post*

This is possibly one of Tim's shortest posts :D

Originally posted by The Prohacker



*bookmarks post*

This is possibly one of Tim's shortest posts :D

Wrong. (this is) :-)

Originally posted by clockwork
Why do I have a feeling you guys are confusing me with clocker1996 ?

Oops.. I did confused you with clocker1996.. I apologies.

The names and IPs have been removed form the thread because if there is a server that is exploitable, please notify the owner or the server rather than posting the exact server name and IP. While the discussion about the vulnerability is good, this is irresponsible.

Originally posted by DizixCom
I think you guys may read too deeply into what you see. Just because someone is running versions of software that have vulnerabilities, it does not mean they are vulnerable. Not in the least.That's me, I'm secure.

I'm running older versions of OpenSSH that are also secure. However, this thread has made me reevaluate whether or not I should upgrade anyway, just to put on a good show for those who understand nothing beyond version numbers.

-Bob

Not sure I understand why folks think that because someone has a certain version of software, that they must also be vulnerable. As far as I know the OpenSSH remote challenge vulnerability only affects people who have compiled in AUTH_BSD, S/Key, or PAM. If you compiled from source (which I would imagine most have) those are off by default anyway. I am certainly not suggesting that admins ought not upgrade (as there are certainly benefits to the new OpenSSH), I am merely suggesting (as others have mentioned) that a version number means nothing other than the potential for the software to be compromised.

Regards,

Jeff

Originally posted by Tim_Greer


Wrong. (this is) :-)

Damn you... Now I have to update my bookmark :D