Page 2 of 2 FirstFirst 12
Results 26 to 45 of 45
  1. #26
    as thelinuxguy said, redhat patch is out for xeon
      0 Not allowed!

  2. #27
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Originally posted by wm2100
    I am talking about remote exploits.

    You are worrying about stuff that does not exist yet, no NX bit exploits are discovered. We are worrying about existing software flaws and NX bit stops them
    security is all about worrying, you my friend are a fool for thinking nxbit is going to save your life.. btw for your information, 90% of hacks these days are done though vulnerable php scripts then a local exploit is uploaded. not much daemon exploiting going on.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  3. #28
    Join Date
    Mar 2005
    Location
    Sydney, Australia
    Posts
    76
    Originally posted by wm2100
    But, to be serious, NX bit definitely stops all buffer overflow attacks, which is the most common remote exploits.

    If you don't believe it, we can set up two machines, one INTEL xeon and one AMD opteron, and let hackers begin. I am willing to bet $500 on it.
    What disturbs me is people's belief in technologies they do not comprehend.

    The NX bit is designed to make what is known as the 'stack' non-executable. To quickly go into the basics, the stack, which exists on every system, is a LIFO (Last in First out) data structure. Programmers who have encountered assembly would know this from dealing with that ever so wonderful ESP register (or SP for the old 16-bit dogs).

    Basic stack-based buffer overflows which were the most common until more recent attacks (such as format-string attacks, heap overflows, integer overflows and off-by-one for example) worked on the basic principle that you could send more information than a buffer in the program was designed to hold - data that overflowed, overwrote memory following after that buffer.

    Sometimes some of these overflows enable attackers to gain control of the EIP/IP (Instruction Pointer) and point it at their code, known as shellcode, which typically spawn a shell, etc.

    So what's this got to do with the NX bit?


    Take stack-based overflows for example. After overflowing the buffer and gaining control of EIP, they have to point it at somewhere to do something useful. So, either prepared before hand or stuffed in the buffer, depending on the vulnerability at hand, usually they will attempt to execute code they've stored on the stack.

    The NX-bit, PaX and several other patches for various operating systems employ what is known as a NON-EXECUTABLE stack. In other words, can read and write but can't run code on that page of memory.


    Guess I'm getting a bit overboard... wm2100 and anyone else reading this post. Non-executable stack patches, whether at kernel-level, or the hardware-level, are not new.

    Second myth to dispel. They do not stop attacks. They do not prevent the buffer from being overrun. All they do is check to see if EIP is sitting in a data page or not.

    Furthermore - there are security whitepapers for working around these security patches, or in some cases as thelinuxguy has said - they do develop ways of defeating said protection.

    What's even more scary is that you're claiming he should go to an AMD64 system and it will solve all his problems. How do you know that the problem wasn't:

    a) Weak password
    b) Misconfigured permissions
    c) Hole in web-based application

    There are many security areas to cover - and buffer overflows are only one way of gaining control, or part thereof.

    If you are still dubious about this, I suggest you read papers regarding return-into-libc methods for defeating non-executable stacks, and also have a further look around security sites. You just might be suprised to find that the NX-bit, or PaX, or exec shield are just one cog in a big wheel, instead of saying one solution will solve all this person's woes.
    http://magi.net.au - Development / rant blog for coders, *nix admins, unoffical cpanel and whatnot.
    Server administration / Emergency work / Security handling available on request - private message/email for quote or more information
      0 Not allowed!

  4. #29
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,710
    I would have to go with Steve here. Most exploits are through poorly coded PHP scripts.

    --GSV
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
      0 Not allowed!

  5. #30
    Join Date
    Mar 2005
    Location
    Sydney, Australia
    Posts
    76
    Same - most of the attacks at the moment have just been via web applications, PhpBB being the most relevant one to bring up
    http://magi.net.au - Development / rant blog for coders, *nix admins, unoffical cpanel and whatnot.
    Server administration / Emergency work / Security handling available on request - private message/email for quote or more information
      0 Not allowed!

  6. #31
    Join Date
    May 2004
    Location
    madison, wi
    Posts
    842
    In the end you, voltus, are responsible. If you aren't responsible for the work, you are responsible to make sure it is complete. Had to lay down some tough love.
      0 Not allowed!

  7. #32
    phpbb and advance guestbook. Two things to look for on any server by the admin!

    As you said these days most hacks are through php and through clients that they don't know much themselves. That's why everytime I see a host offering EVERYTHING, I wonder what kind of an admin is behind that system!
      0 Not allowed!

  8. #33
    Join Date
    Oct 2003
    Location
    Chicago, IL
    Posts
    657
    We are still investigating, however I would like to preliminarily note that the server's kernel/daemons/supporting software were all up-to-date. We have had one tech look into the issue and our head security admin will be investigating tomorrow for possible attack vectors. It is still undetermined whether it was technical or social engineering based intrusion.
    Zac Cogswell / CEI
    Formerly known as WiredTree Zac
      0 Not allowed!

  9. #34
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,710
    If it is social engineering based - no matter how many security layers you have the person still has access, can't really fix that.

    --GSV
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
      0 Not allowed!

  10. #35
    Originally posted by serverunion
    In the end you, voltus, are responsible. If you aren't responsible for the work, you are responsible to make sure it is complete. Had to lay down some tough love.
    A busy one.
      0 Not allowed!

  11. #36
    Join Date
    Feb 2004
    Location
    Your Screen
    Posts
    3,999
    Originally posted by voltus_99
    Again, is this comment for me or liquidweb?
    You. It's your server.

    Bailey
    Let's Connect on Twitter! @thatsmsgeek2u || Fighting mediocrity one thread at a time.
      0 Not allowed!

  12. #37
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Originally posted by LiquidwebZac
    We are still investigating, however I would like to preliminarily note that the server's kernel/daemons/supporting software were all up-to-date. We have had one tech look into the issue and our head security admin will be investigating tomorrow for possible attack vectors. It is still undetermined whether it was technical or social engineering based intrusion.
    Just to comment on this one. Although I disagree with the thread starter that you should do everything for him. It begs the question, what sort of "basic" security do you enforce on managed servers. Surely if it happened before you would have reported as in what was hacked before to the customer? Sorry if this sounds negative, just very strange that it has happened again.

    To the thread starter, you have to understand managed servers does NOT mean they will do every single thing for your server, they provided a basic managed server. Ofcourse some companys are different, it just depends how important that part of there setup is to them personally.

    I understand you may be unable to manage your own servers which is why outsourced managed companys exist.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
      0 Not allowed!

  13. #38
    Join Date
    May 2004
    Location
    Toronto, Canada
    Posts
    5,105
    Originally posted by cpanelgh0st
    What disturbs me is people's belief in technologies they do not comprehend.

    The NX bit is designed to make what is known as the 'stack' non-executable. To quickly go into the basics, the stack, which exists on every system, is a LIFO (Last in First out) data structure. Programmers who have encountered assembly would know this from dealing with that ever so wonderful ESP register (or SP for the old 16-bit dogs).

    Basic stack-based buffer overflows which were the most common until more recent attacks (such as format-string attacks, heap overflows, integer overflows and off-by-one for example) worked on the basic principle that you could send more information than a buffer in the program was designed to hold - data that overflowed, overwrote memory following after that buffer.

    Sometimes some of these overflows enable attackers to gain control of the EIP/IP (Instruction Pointer) and point it at their code, known as shellcode, which typically spawn a shell, etc.

    So what's this got to do with the NX bit?


    Take stack-based overflows for example. After overflowing the buffer and gaining control of EIP, they have to point it at somewhere to do something useful. So, either prepared before hand or stuffed in the buffer, depending on the vulnerability at hand, usually they will attempt to execute code they've stored on the stack.

    The NX-bit, PaX and several other patches for various operating systems employ what is known as a NON-EXECUTABLE stack. In other words, can read and write but can't run code on that page of memory.


    Guess I'm getting a bit overboard... wm2100 and anyone else reading this post. Non-executable stack patches, whether at kernel-level, or the hardware-level, are not new.

    Second myth to dispel. They do not stop attacks. They do not prevent the buffer from being overrun. All they do is check to see if EIP is sitting in a data page or not.

    Furthermore - there are security whitepapers for working around these security patches, or in some cases as thelinuxguy has said - they do develop ways of defeating said protection.

    What's even more scary is that you're claiming he should go to an AMD64 system and it will solve all his problems. How do you know that the problem wasn't:

    a) Weak password
    b) Misconfigured permissions
    c) Hole in web-based application

    There are many security areas to cover - and buffer overflows are only one way of gaining control, or part thereof.

    If you are still dubious about this, I suggest you read papers regarding return-into-libc methods for defeating non-executable stacks, and also have a further look around security sites. You just might be suprised to find that the NX-bit, or PaX, or exec shield are just one cog in a big wheel, instead of saying one solution will solve all this person's woes.
     

    /me bows.  good post.
    CloudNexus Technology Services
    Managed Services
      0 Not allowed!

  14. #39
    Join Date
    Mar 2005
    Location
    Sydney, Australia
    Posts
    76
    Originally posted by LiquidwebZac
    We are still investigating, however I would like to preliminarily note that the server's kernel/daemons/supporting software were all up-to-date. We have had one tech look into the issue and our head security admin will be investigating tomorrow for possible attack vectors. It is still undetermined whether it was technical or social engineering based intrusion.
    Define up-to-date. :/ Hope the intrusion wasn't too bad though (complete server takeover)... last few intrusions Ive had to deal with this month were basic attacks, thanks to web apps and basic passwords.

    Interesting enough, at time of writing, there are a few outstanding flaws in the Linux kernel alone, not to mention a couple of new PHP flaws.

    (Do note, that while that some are listed as DoS vulnerabilities, the kernel ones have had a habit of turning into privelege esclataion in some cases... i.e. bluetooth bug)

    OpenSSH SCP Client File Corruption Vulnerability - http://www.securityfocus.com/bid/9986

    Linux Kernel 64 Bit PTrace Segment Base Address Local Denial Of Service Vulnerability - http://www.securityfocus.com/bid/13891

    Linux Kernel MMap Invalid Memory Region Local Denial Of Service Vulnerability - http://www.securityfocus.com/bid/13893

    Linux Kernel Auditing Code Unspecified Local Denial Of Service Vulnerability - http://www.securityfocus.com/bid/13895

    Multiple Linux Kernel IOCTL Handlers Local Memory Corruption Vulnerabilities - http://www.securityfocus.com/bid/13651

    PHP Group PHP Remote JPEG File Format Remote Denial Of Service Vulnerability - http://www.securityfocus.com/bid/12963

    PHP Group PHP Image File Format Remote Denial Of Service Vulnerability - http://www.securityfocus.com/bid/12962
    http://magi.net.au - Development / rant blog for coders, *nix admins, unoffical cpanel and whatnot.
    Server administration / Emergency work / Security handling available on request - private message/email for quote or more information
      0 Not allowed!

  15. #40
    Join Date
    Jul 2002
    Posts
    3,374
    Originally posted by bigmaster
    Ok,

    look at it this way! you have a bundle of money giving it to bank and you walk away! well, if you bother counting it before you hand it to bank, you will prevent any further problem too right?
    bank will manage your money, help you keep track of record and if someone try to use your debit card or withdraw money from you. it's their duty to stop any unauthroized useage (hacker). Even if bank get robbed, they are insured up the ying-yang that you won't lose a dime.

    if a provider (bank) offer managed server (safe valut/checking account). it's provider's job to keep your money/valueable safe. unless your contract/checking account stated otherwise. if provider (bank) didn't do their job. what's the point of renting a safe valut (managed server) at bank for? you should keep your valueable at home then since keeping it at bank is no different than your home. what's the point of paying extra fee to manage your server? LiquidWeb might as well sell their server for less and say it's unmanaged.

    OP should check with LiquidWeb on what type of manged service is offer and what will liquidWeb do if they fail the SLA.
    Last edited by jt2377; 06-08-2005 at 11:46 PM.
      0 Not allowed!

  16. #41
    Join Date
    Apr 2005
    Posts
    48
    Originally posted by HostGeekZ
    Just to comment on this one. Although I disagree with the thread starter that you should do everything for him. It begs the question, what sort of "basic" security do you enforce on managed servers. Surely if it happened before you would have reported as in what was hacked before to the customer? Sorry if this sounds negative, just very strange that it has happened again.

    To the thread starter, you have to understand managed servers does NOT mean they will do every single thing for your server, they provided a basic managed server. Ofcourse some companys are different, it just depends how important that part of there setup is to them personally.

    I understand you may be unable to manage your own servers which is why outsourced managed companys exist.

    -Scott
    I believe LiquidWeb do "fully managed" service , which is "proactive" to any security related. You could see from their web info and price

    They even claimed on thier speicial thread that customers even won't touch SSH again, which iswhy I bought LW server and now I might get to worry about it
      0 Not allowed!

  17. #42
    Join Date
    Mar 2003
    Location
    Edmonton, AB Canada
    Posts
    884
    i would suggest you forget about the penguins and start using *BSD as the OS. you'll definitly do better in terms of security
    Ben S.
      0 Not allowed!

  18. #43
    On topic:

    Multiple breakins usually mean he's targeted or on a list... Granted the Provider should perform basic security tasks, when compromised the provider should at least help since it could affect other customers.

    Otherwise an evaluation of the server should be done and extra security measures considered... Firewall, DDos, Changing IP addresses, etc.

    Host should also be proactive with what is ON the server... Make a list of what's on there, anything that's custom do a code audit, etc.

    Originally posted by wm2100
    Ok, guys, I am a C/C++ programmer, so let me explain the NX bit.
    NX bit is not just about stack overflows. It can disallow execution of any code injected into a running program, only the code compiled into the executable are allow to run.

    http://www.anandtech.com/cpuchipsets...oc.aspx?i=2239
    lol If you got farther than the first sentence.... You're a C/C++ programmer? but don't know how to automate scripts and don't know the difference in apps being written for different architecture? Someone very thoroughly explained it before you. All you do is read the article, select what you want out of it, paraphrase it (incorrectly) and claim it as part of your own experience/knowledge...

    Dude, why don't you start a website on that mongo server of yours and post all your findings there? or better yet, just duplicate anandtech.com and tomshardware.com. Realistically, You could build a database and allow people to upload their results to the server... yah? It is VERY simple for a C/C++programmer to do something like this... Only thing programmers aren't good at is web design...


    "NX protection seems great; it stops viruses dead in their tracks and eliminates those pesky buffer overflows we have been hearing so much about for the last 15 years. Well, maybe not. In fact it seems that NX provides several layers of false security, particularly since it only stops some buffer overflows and whether or not it stops any viruses has yet to be seen yet. "
    Last edited by ikeo; 06-09-2005 at 02:50 PM.
      0 Not allowed!

  19. #44
    Join Date
    Mar 2005
    Posts
    48
    Update:

    Although I am very dissappointed that my server is hacked twice in three months, I have to give an A+ for LQW for handling the situation. Its true they do not warn me about the take over but after I contacted them, they have been very responsive.

    I fully understand that I bear some responsibility in managing the server but since I am not an expert I have to rely on LQW to help me. And believe me they do help me so far. I just wish that they can be proactive in prevention rahter than reaction.

    For your info, my new server was hacked in less than 5 days after I joined LQW. I have not even do anything on the server yet. You can read the whole thread in the first post. To make it worse, they are not able to restore some content that we are uploading.

    This time is worse but so far all content is restored and my server is under a special watch/treatment from LQW tech. I have to admire their effort and committment in solving my problem whether because they do care or because from my post here

    anyway, time to remove some old files, swithc phpBB to SMF etc so there will be no mistake.
      0 Not allowed!

  20. #45
    Join Date
    Jul 2003
    Location
    Connecticut
    Posts
    3,038
    The ONLY way to guarentee your machine is safe is to keep it unplugged..


    Words of wisdom
      0 Not allowed!

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •