Results 26 to 45 of 45
Thread: My server is HACKED, AGAIN???
-
06-08-2005, 04:48 PM #26Temporarily Suspended
- Join Date
- Jun 2005
- Posts
- 16
as thelinuxguy said, redhat patch is out for xeon
0
-
06-08-2005, 04:55 PM #27Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Originally posted by wm2100
I am talking about remote exploits.
You are worrying about stuff that does not exist yet, no NX bit exploits are discovered. We are worrying about existing software flaws and NX bit stops themSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
06-08-2005, 04:59 PM #28Junior Guru Wannabe
- Join Date
- Mar 2005
- Location
- Sydney, Australia
- Posts
- 76
Originally posted by wm2100
But, to be serious, NX bit definitely stops all buffer overflow attacks, which is the most common remote exploits.
If you don't believe it, we can set up two machines, one INTEL xeon and one AMD opteron, and let hackers begin. I am willing to bet $500 on it.
The NX bit is designed to make what is known as the 'stack' non-executable. To quickly go into the basics, the stack, which exists on every system, is a LIFO (Last in First out) data structure. Programmers who have encountered assembly would know this from dealing with that ever so wonderful ESP register (or SP for the old 16-bit dogs).
Basic stack-based buffer overflows which were the most common until more recent attacks (such as format-string attacks, heap overflows, integer overflows and off-by-one for example) worked on the basic principle that you could send more information than a buffer in the program was designed to hold - data that overflowed, overwrote memory following after that buffer.
Sometimes some of these overflows enable attackers to gain control of the EIP/IP (Instruction Pointer) and point it at their code, known as shellcode, which typically spawn a shell, etc.
So what's this got to do with the NX bit?
Take stack-based overflows for example. After overflowing the buffer and gaining control of EIP, they have to point it at somewhere to do something useful. So, either prepared before hand or stuffed in the buffer, depending on the vulnerability at hand, usually they will attempt to execute code they've stored on the stack.
The NX-bit, PaX and several other patches for various operating systems employ what is known as a NON-EXECUTABLE stack. In other words, can read and write but can't run code on that page of memory.
Guess I'm getting a bit overboard... wm2100 and anyone else reading this post. Non-executable stack patches, whether at kernel-level, or the hardware-level, are not new.
Second myth to dispel. They do not stop attacks. They do not prevent the buffer from being overrun. All they do is check to see if EIP is sitting in a data page or not.
Furthermore - there are security whitepapers for working around these security patches, or in some cases as thelinuxguy has said - they do develop ways of defeating said protection.
What's even more scary is that you're claiming he should go to an AMD64 system and it will solve all his problems. How do you know that the problem wasn't:
a) Weak password
b) Misconfigured permissions
c) Hole in web-based application
There are many security areas to cover - and buffer overflows are only one way of gaining control, or part thereof.
If you are still dubious about this, I suggest you read papers regarding return-into-libc methods for defeating non-executable stacks, and also have a further look around security sites. You just might be suprised to find that the NX-bit, or PaX, or exec shield are just one cog in a big wheel, instead of saying one solution will solve all this person's woes.http://magi.net.au - Development / rant blog for coders, *nix admins, unoffical cpanel and whatnot.
Server administration / Emergency work / Security handling available on request - private message/email for quote or more information0
-
06-08-2005, 05:01 PM #29Eternal Member
- Join Date
- Dec 2004
- Location
- New York, NY
- Posts
- 10,710
I would have to go with Steve here. Most exploits are through poorly coded PHP scripts.
--GSVMediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
0
-
06-08-2005, 05:05 PM #30Junior Guru Wannabe
- Join Date
- Mar 2005
- Location
- Sydney, Australia
- Posts
- 76
Same - most of the attacks at the moment have just been via web applications, PhpBB being the most relevant one to bring up
http://magi.net.au - Development / rant blog for coders, *nix admins, unoffical cpanel and whatnot.
Server administration / Emergency work / Security handling available on request - private message/email for quote or more information0
-
06-08-2005, 05:30 PM #31Web Hosting Master
- Join Date
- May 2004
- Location
- madison, wi
- Posts
- 842
In the end you, voltus, are responsible. If you aren't responsible for the work, you are responsible to make sure it is complete. Had to lay down some tough love.
0
-
06-08-2005, 05:35 PM #32Temporarily Suspended
- Join Date
- Jun 2005
- Posts
- 16
phpbb and advance guestbook. Two things to look for on any server by the admin!
As you said these days most hacks are through php and through clients that they don't know much themselves. That's why everytime I see a host offering EVERYTHING, I wonder what kind of an admin is behind that system!0
-
06-08-2005, 08:23 PM #33Web Hosting Master
- Join Date
- Oct 2003
- Location
- Chicago, IL
- Posts
- 657
We are still investigating, however I would like to preliminarily note that the server's kernel/daemons/supporting software were all up-to-date. We have had one tech look into the issue and our head security admin will be investigating tomorrow for possible attack vectors. It is still undetermined whether it was technical or social engineering based intrusion.
█ Zac Cogswell / CEI
█ Formerly known as WiredTree Zac0
-
06-08-2005, 08:29 PM #34Eternal Member
- Join Date
- Dec 2004
- Location
- New York, NY
- Posts
- 10,710
If it is social engineering based - no matter how many security layers you have the person still has access, can't really fix that.
--GSVMediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
0
-
06-08-2005, 08:57 PM #35WHT Addict
- Join Date
- Jan 2003
- Posts
- 112
Originally posted by serverunion
In the end you, voltus, are responsible. If you aren't responsible for the work, you are responsible to make sure it is complete. Had to lay down some tough love.0
-
06-08-2005, 09:54 PM #36Too smart for her own good.
- Join Date
- Feb 2004
- Location
- Your Screen
- Posts
- 3,999
Originally posted by voltus_99
Again, is this comment for me or liquidweb?
BaileyLet's Connect on Twitter! @thatsmsgeek2u || Fighting mediocrity one thread at a time.0
-
06-08-2005, 10:05 PM #37Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
Originally posted by LiquidwebZac
We are still investigating, however I would like to preliminarily note that the server's kernel/daemons/supporting software were all up-to-date. We have had one tech look into the issue and our head security admin will be investigating tomorrow for possible attack vectors. It is still undetermined whether it was technical or social engineering based intrusion.
To the thread starter, you have to understand managed servers does NOT mean they will do every single thing for your server, they provided a basic managed server. Ofcourse some companys are different, it just depends how important that part of there setup is to them personally.
I understand you may be unable to manage your own servers which is why outsourced managed companys exist.
-ScottServer Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com0
-
06-08-2005, 10:17 PM #38Retired Moderator
- Join Date
- May 2004
- Location
- Toronto, Canada
- Posts
- 5,105
Originally posted by cpanelgh0st
What disturbs me is people's belief in technologies they do not comprehend.
The NX bit is designed to make what is known as the 'stack' non-executable. To quickly go into the basics, the stack, which exists on every system, is a LIFO (Last in First out) data structure. Programmers who have encountered assembly would know this from dealing with that ever so wonderful ESP register (or SP for the old 16-bit dogs).
Basic stack-based buffer overflows which were the most common until more recent attacks (such as format-string attacks, heap overflows, integer overflows and off-by-one for example) worked on the basic principle that you could send more information than a buffer in the program was designed to hold - data that overflowed, overwrote memory following after that buffer.
Sometimes some of these overflows enable attackers to gain control of the EIP/IP (Instruction Pointer) and point it at their code, known as shellcode, which typically spawn a shell, etc.
So what's this got to do with the NX bit?
Take stack-based overflows for example. After overflowing the buffer and gaining control of EIP, they have to point it at somewhere to do something useful. So, either prepared before hand or stuffed in the buffer, depending on the vulnerability at hand, usually they will attempt to execute code they've stored on the stack.
The NX-bit, PaX and several other patches for various operating systems employ what is known as a NON-EXECUTABLE stack. In other words, can read and write but can't run code on that page of memory.
Guess I'm getting a bit overboard... wm2100 and anyone else reading this post. Non-executable stack patches, whether at kernel-level, or the hardware-level, are not new.
Second myth to dispel. They do not stop attacks. They do not prevent the buffer from being overrun. All they do is check to see if EIP is sitting in a data page or not.
Furthermore - there are security whitepapers for working around these security patches, or in some cases as thelinuxguy has said - they do develop ways of defeating said protection.
What's even more scary is that you're claiming he should go to an AMD64 system and it will solve all his problems. How do you know that the problem wasn't:
a) Weak password
b) Misconfigured permissions
c) Hole in web-based application
There are many security areas to cover - and buffer overflows are only one way of gaining control, or part thereof.
If you are still dubious about this, I suggest you read papers regarding return-into-libc methods for defeating non-executable stacks, and also have a further look around security sites. You just might be suprised to find that the NX-bit, or PaX, or exec shield are just one cog in a big wheel, instead of saying one solution will solve all this person's woes.
/me bows. good post.CloudNexus Technology Services
Managed Services0
-
06-08-2005, 10:51 PM #39Junior Guru Wannabe
- Join Date
- Mar 2005
- Location
- Sydney, Australia
- Posts
- 76
Originally posted by LiquidwebZac
We are still investigating, however I would like to preliminarily note that the server's kernel/daemons/supporting software were all up-to-date. We have had one tech look into the issue and our head security admin will be investigating tomorrow for possible attack vectors. It is still undetermined whether it was technical or social engineering based intrusion.
Interesting enough, at time of writing, there are a few outstanding flaws in the Linux kernel alone, not to mention a couple of new PHP flaws.
(Do note, that while that some are listed as DoS vulnerabilities, the kernel ones have had a habit of turning into privelege esclataion in some cases... i.e. bluetooth bug)
OpenSSH SCP Client File Corruption Vulnerability - http://www.securityfocus.com/bid/9986
Linux Kernel 64 Bit PTrace Segment Base Address Local Denial Of Service Vulnerability - http://www.securityfocus.com/bid/13891
Linux Kernel MMap Invalid Memory Region Local Denial Of Service Vulnerability - http://www.securityfocus.com/bid/13893
Linux Kernel Auditing Code Unspecified Local Denial Of Service Vulnerability - http://www.securityfocus.com/bid/13895
Multiple Linux Kernel IOCTL Handlers Local Memory Corruption Vulnerabilities - http://www.securityfocus.com/bid/13651
PHP Group PHP Remote JPEG File Format Remote Denial Of Service Vulnerability - http://www.securityfocus.com/bid/12963
PHP Group PHP Image File Format Remote Denial Of Service Vulnerability - http://www.securityfocus.com/bid/12962http://magi.net.au - Development / rant blog for coders, *nix admins, unoffical cpanel and whatnot.
Server administration / Emergency work / Security handling available on request - private message/email for quote or more information0
-
06-08-2005, 11:40 PM #40Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 3,374
Originally posted by bigmaster
Ok,
look at it this way! you have a bundle of money giving it to bank and you walk away! well, if you bother counting it before you hand it to bank, you will prevent any further problem too right?
if a provider (bank) offer managed server (safe valut/checking account). it's provider's job to keep your money/valueable safe. unless your contract/checking account stated otherwise. if provider (bank) didn't do their job. what's the point of renting a safe valut (managed server) at bank for? you should keep your valueable at home then since keeping it at bank is no different than your home. what's the point of paying extra fee to manage your server? LiquidWeb might as well sell their server for less and say it's unmanaged.
OP should check with LiquidWeb on what type of manged service is offer and what will liquidWeb do if they fail the SLA.Last edited by jt2377; 06-08-2005 at 11:46 PM.
0
-
06-09-2005, 12:03 AM #41Junior Guru Wannabe
- Join Date
- Apr 2005
- Posts
- 48
Originally posted by HostGeekZ
Just to comment on this one. Although I disagree with the thread starter that you should do everything for him. It begs the question, what sort of "basic" security do you enforce on managed servers. Surely if it happened before you would have reported as in what was hacked before to the customer? Sorry if this sounds negative, just very strange that it has happened again.
To the thread starter, you have to understand managed servers does NOT mean they will do every single thing for your server, they provided a basic managed server. Ofcourse some companys are different, it just depends how important that part of there setup is to them personally.
I understand you may be unable to manage your own servers which is why outsourced managed companys exist.
-Scott
They even claimed on thier speicial thread that customers even won't touch SSH again, which iswhy I bought LW server and now I might get to worry about it0
-
06-09-2005, 12:51 AM #42Web Hosting Master
- Join Date
- Mar 2003
- Location
- Edmonton, AB Canada
- Posts
- 884
i would suggest you forget about the penguins and start using *BSD as the OS. you'll definitly do better in terms of security
Ben S.0
-
06-09-2005, 02:46 PM #43Junior Guru
- Join Date
- Jan 2005
- Posts
- 203
On topic:
Multiple breakins usually mean he's targeted or on a list... Granted the Provider should perform basic security tasks, when compromised the provider should at least help since it could affect other customers.
Otherwise an evaluation of the server should be done and extra security measures considered... Firewall, DDos, Changing IP addresses, etc.
Host should also be proactive with what is ON the server... Make a list of what's on there, anything that's custom do a code audit, etc.
Originally posted by wm2100
Ok, guys, I am a C/C++ programmer, so let me explain the NX bit.
NX bit is not just about stack overflows. It can disallow execution of any code injected into a running program, only the code compiled into the executable are allow to run.
http://www.anandtech.com/cpuchipsets...oc.aspx?i=2239
Dude, why don't you start a website on that mongo server of yours and post all your findings there? or better yet, just duplicate anandtech.com and tomshardware.com. Realistically, You could build a database and allow people to upload their results to the server... yah? It is VERY simple for a C/C++programmer to do something like this... Only thing programmers aren't good at is web design...
"NX protection seems great; it stops viruses dead in their tracks and eliminates those pesky buffer overflows we have been hearing so much about for the last 15 years. Well, maybe not. In fact it seems that NX provides several layers of false security, particularly since it only stops some buffer overflows and whether or not it stops any viruses has yet to be seen yet. "Last edited by ikeo; 06-09-2005 at 02:50 PM.
0
-
06-10-2005, 12:43 PM #44Junior Guru Wannabe
- Join Date
- Mar 2005
- Posts
- 48
Update:
Although I am very dissappointed that my server is hacked twice in three months, I have to give an A+ for LQW for handling the situation. Its true they do not warn me about the take over but after I contacted them, they have been very responsive.
I fully understand that I bear some responsibility in managing the server but since I am not an expert I have to rely on LQW to help me. And believe me they do help me so far. I just wish that they can be proactive in prevention rahter than reaction.
For your info, my new server was hacked in less than 5 days after I joined LQW. I have not even do anything on the server yet. You can read the whole thread in the first post. To make it worse, they are not able to restore some content that we are uploading.
This time is worse but so far all content is restored and my server is under a special watch/treatment from LQW tech. I have to admire their effort and committment in solving my problem whether because they do care or because from my post here
anyway, time to remove some old files, swithc phpBB to SMF etc so there will be no mistake.0
-
06-10-2005, 04:04 PM #45Carpe Diem
- Join Date
- Jul 2003
- Location
- Connecticut
- Posts
- 3,038
The ONLY way to guarentee your machine is safe is to keep it unplugged..
Words of wisdom0