Results 1 to 15 of 15
  1. #1

    Finding script holes

    Are there any good ways to find which script has a hole in it on you server? I'm pretty sure one of the scripts on my server has a security hole in it and it's allowing garbage onto my server that tends to bog it down and do nasty things to it. One of my staff knows enough about linux admin to tell me that's most likely the case, but we've not had any luck finding the bad script as I have a large number of smaller sites with scripting on them hosted. He cleans out things when he has time to look and finds something, but we've not been able to find the hole.

    Plesk5 control panel, linux server.
    Webmaster - http://www.racerplanet.com

  2. #2
    Join Date
    Aug 2003
    Location
    London, UK
    Posts
    104
    Hey,

    We usually find outdated software to be cause of most the crap that ends up on our server.

    I would check the versions of any phpBB forums, world press, stuff like that. We recently installed mod_security which is very good in stopping such exploits.
    http://www.modsecurity.org/

    Peter Verrill

  3. #3
    There are a lot of ways to track down the entry point of malicious activity. For a beginner, try mod_security for Apache:
    http://www.modsecurity.org/

    You can do a search here to see quote a few posts about how to use it as well.

  4. #4
    thanks guys, I'll see about mod security and see what I can do.
    Webmaster - http://www.racerplanet.com

  5. #5
    srv:~/modsecurity-apache-1.9.1/apache2 # /usr/local/psa/admin/bin/apxs -cia mod_security.c
    cc -DHARD_SERVER_LIMIT=512 -DDEFAULT_PATH="/usr/local/psa/admin/bin:/bin:/usr/bin" -DLINUX=22 -DTARGET="httpsd" -DHAVE_SET_DUMPABLE -I/usr/include/db1 -DMOD_SSL=208118 -DEAPI -O -pipe -O3 -fexpensive-optimizations -I/usr/kerberos/include -fomit-frame-pointer -fstrength-reduce -pipe -I/home/builder/pb_work_dir/psa_patch_7.0.3/psa/release/dist/usr/include -DPLESK_Linux -I/home/builder/pb_work_dir/psa_patch_7.0.3/psa/plesk-utils/include -DBSG_CR -DBSG_MSG -I/usr/include -L/home/builder/pb_work_dir/psa_patch_7.0.3/psa/admin/../plesk-utils/lib -lplesk -I/usr/include/db1 -fpic -DSHARED_MODULE -I/usr/local/psa/admin/include -c mod_security.c
    sh: line 1: cc: command not found
    apxs:Break: Command failed with rc=127
    I tried to compile mod_security and ran into this, been searching for a while and not seen what exactly that means yet.
    Webmaster - http://www.racerplanet.com

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    PLESK5 ?!!!? I think you have more things to worry about then just some scripts getting exploited.

    I bet you have vulnerable software getting exploited.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    lol - that bad huh? guess I'll have to talk about getting plesk upgraded first with my host.
    Webmaster - http://www.racerplanet.com

  8. #8
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Well what operating system are you running exactly? Redhat 7.x?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  9. #9
    bah - stupid me, I'm actually running Plesk 7.03, not sure why I was thinking version 5, it has been a while since I looked.
    Webmaster - http://www.racerplanet.com

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Oh thats better.

    make sure the httpd-devel package is installed and

    /usr/sbin/apxs

    is what you want to use.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    server software in phpinfo tell's me I'm running Apache/2.0.48 (Linux/SuSE), but I don't know the exact info right off. Probably is an easy way to tell, but I don't do much linux admin anymore so I've forgotten the little I used to know.
    Webmaster - http://www.racerplanet.com

  12. #12
    Quote Originally Posted by Steven
    Oh thats better.

    make sure the httpd-devel package is installed and

    /usr/sbin/apxs

    is what you want to use.

    Ahh - that might be where I went wrong, apxs that I found was in the psa/bin directory. I'll see what I can do with that.

    *edit* hmm no apxs in /usr/sbin on my server, the one I found was in /usr/local/psa/admin/bin I think, but gave me that error up above.

    any recomendations for a basic general ruleset?
    Webmaster - http://www.racerplanet.com

  13. #13
    anyone have any ideas for me to try tonight?
    Webmaster - http://www.racerplanet.com

  14. #14
    no luck with mod_security, but I think I might have found the problem script with the security hole in it. So we'll see if problems happen in a few days again.
    Webmaster - http://www.racerplanet.com

  15. #15
    Join Date
    May 2003
    Location
    Florida
    Posts
    877
    Quote Originally Posted by jtace
    no luck with mod_security, but I think I might have found the problem script with the security hole in it. So we'll see if problems happen in a few days again.
    A good guide for installing Mod_security is at:
    http://www.eth0.us/mod_security

    I also find that http://www.gotroot.com/mod_security+rules has good instructions and a lot of rules to protect your server.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •