Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 56

Thread: Insecure =/

  1. #26
    Join Date
    Jan 2002
    Posts
    574

    And...

    If you don't think your customers are a threat, think again.


    Anyone want to set me up with a server in their data center and show you what can be done?

    Don't think it doesn't happen either.

  2. #27
    Join Date
    May 2001
    Posts
    1,349
    Yeeehaaa... I don't know how to insall windoz yet but I host websites! I know lots about security. I lock my servers up in my closet real good.

    Hehe good luck breaking into my SSH-1.99-OpenSSH_2.9p2. I run only telnet. And it's the 1993 version so there are no new hacks against it since nobody has it any mo'.

  3. #28
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977

    Re: And...

    Originally posted by clockwork
    It's not an excuse, it's real life. (Welcome to it!)

    Customers hate restrictions.
    How many of you here don't offer normal FTP access, raise your hand. (As opposed to scp/sftp)

    Ok, I was with you until your last comment about most attacks coming from apache... uhhh?

    Elaborate on that for me..

    Hate to tell you, I do live in real life...

    Customers really don't mind restrictions, as long as you explain it to them, 98% are more than understand the other two usually just need a little bit of guidence...

    On my apache comment, most people will upload a script and call it from the web, so it runs as nobody... Most attacks are major system compromises, they are deleting another user's files because they have the files CHMOD'd 777, or something along those lines...

    Running the attacking script via Apache would make it a little harder to track the person down, if they did it via shell it would be simple....




    Originally posted by clockwork
    If you don't think your customers are a threat, think again.


    Anyone want to set me up with a server in their data center and show you what can be done?

    Don't think it doesn't happen either.

    Of course they are threats, I never said they weren't....

    I think you seriously need to check your attitude...

  4. #29
    Join Date
    Dec 2001
    Posts
    1,029
    Many "hosting companies" here barely know how to use the control panel and don't really know how things work, and then they sell reseller accounts and even more "hosting companies" form that know even less about how things work. Some hosting companies have their own Linux servers and don't even know how to copy a file in Linux, much less upgrade software.

    As for SSH-1.99-OpenSSH_3.1p1, it's possible they've turned off ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt like I have or have it patched, but then again...who knows.
    ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

  5. #30
    Join Date
    Nov 2001
    Location
    Canada
    Posts
    1,963
    Originally posted by ToastyX
    Many "hosting companies" here barely know how to use the control panel and don't really know how things work, and then they sell reseller accounts and even more "hosting companies" form that know even less about how things work. Some hosting companies have their own Linux servers and don't even know how to copy a file in Linux, much less upgrade software.

    As for SSH-1.99-OpenSSH_3.1p1, it's possible they've turned off ChallengeResponseAuthentication and PAMAuthenticationViaKbdInt like I have or have it patched, but then again...who knows.
    its the sad truth

  6. #31
    Join Date
    Dec 2001
    Location
    Detroit, MI
    Posts
    1,067
    I think you guys may read too deeply into what you see. Just because someone is running versions of software that have vulnerabilities, it does not mean they are vulnerable. Not in the least.
    SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202
    That's me, I'm secure.

    I find it ironic that you are attacking hosts for being potentially insecure, when you really don't even understand the vulnerability points. That's scarey.

    Sorry to be so blunt.
    <!-- boo! -->

  7. #32
    Join Date
    Aug 2000
    Posts
    1,167
    Originally posted by DizixCom
    I find it ironic that you are attacking hosts for being potentially insecure, when you really don't even understand the vulnerability points. That's scarey.

    Sorry to be so blunt.
    Amen.

    Don't apologize.

  8. #33
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    I don't know if you really care about it, but just to let you know I upgraded SSH on that box a long time ago, for some reason still show the old version, to be honest, I don't know why.
    Indeed, just to be sure, I did it again to 3.4p1, but still show 3.1p1.

    And I will really apreciate if you remove downtownhost.com from your first post, it make us look bad, when you don't really know about it.
    Last edited by Jedito; 07-12-2002 at 03:35 AM.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  9. #34
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    Originally posted by clocker1996


    And the list goes on and on, i wont try to embarrass too many companies

    Yes, you tried, if you wanted to be helpfull you could contact any of the host listed to let them know about "what you think that's a problem".
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  10. #35
    Join Date
    Apr 2002
    Posts
    89
    This thread title reminds me of Linkin Park,
    Freelance designer, providing CHEAP and HIGH QUALITY designs.
    EMail: webmaster[at]phatronic.com
    Y! Messenger ID: phatronic - ICQ: 159396474
    Portfolio: http://www.webhostingtalk.com/showthread.php?s=&threadid=75511

  11. #36
    Join Date
    Jan 2002
    Posts
    574
    I don't think there's anything wrong with my attitude.

    I've been working in web hosting for almost 4 years now (system administration).

    I've tried to impliment security policies, but it seems no one cares.

    I have gotten people to use SUExec to get around the Apache security issues. Oh, it wasn't easy either.

    You tell people it's good for security, but the bottom line is they need to make changes and they will encounter problems migrating from the "normal" way. They don't like that.

    As for most attacks, as far as I have seen... typical servers that get "owned" don't suffer data loss, they are simply used for tools such as cracking other servers or tying them into a ring of DDoS boxes.

    If you see a box get data wiped from it, you might want to start looking into who has a grudge with you or your users. Sure, there could be some random, malicious person who rm -rf /* a box, but I have come to know that is far and few between... usually some script kiddie who thinks someone is on to him and has no idea how to clean log files.

    I've been following security for over 6 years.
    I remember when bugtraq used to be good.

    My attitude isn't meant to insult you, it's just one of little hope when looking at the security of 95% (random figure) of hosting companies.

  12. #37
    Join Date
    Jan 2002
    Posts
    574
    Also... I see no one replaced FTP with scp/sftp (obviously not everyone here read the thread, but no one so far).

    Think of who your clients are/will be - Windows users who have CuteFTP, Frontpage (maybe DreamWeaver if you are lucky), etc.

    Unless you plan to blow them all off, good luck!

  13. #38
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    Oh really? you don't see anything wrong with your attitude?
    You exposed to a possible security hole in a public forum with more than 15.000 members at more than 5 host, because you wanted to play to "hey, I read securityfocus.com, I'm really smart, and those host do not upgrade their deamons, they are insecure, hehehe".
    Again, I'll apreciate if you remove downtownhost.com from your misinforming message, and I suggest to read more before to post a message like this, it really make you look as a fool.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  14. #39
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    BTW, what part of
    "I don't know if you really care about it, but just to let you know I upgraded SSH on that box a long time ago, for some reason still show the old version, to be honest, I don't know why.
    Indeed, just to be sure, I did it again to 3.4p1, but still show 3.1p1. "

    You didn't understood?
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  15. #40
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Originally posted by clockwork
    I don't think there's anything wrong with my attitude.

    I've been working in web hosting for almost 4 years now (system administration).
    Keeping programs up-to-date does not make one a system administration expert.

    I've tried to impliment security policies, but it seems no one cares.
    What policies, to whom, and what do you mean?

    I have gotten people to use SUExec to get around the Apache security issues. Oh, it wasn't easy either.
    What Apache security issue and SuEXEC and what wasn't easy?

    You tell people it's good for security, but the bottom line is they need to make changes and they will encounter problems migrating from the "normal" way. They don't like that.
    What's good for security and what changes and what problems are you talking about?

    As for most attacks, as far as I have seen... typical servers that get "owned" don't suffer data loss, they are simply used for tools such as cracking other servers or tying them into a ring of DDoS boxes.
    Usually, yes. it's true that most servers are compromised due to not being up to date with all the things that are commonly needing to be up to date, but that's not all there is to it, but if it is true that someone was running vulnerable versions that it's not a good sign. Just be sure that you know they are truly vulnerable, and don't post that to a public board, perhaps.

    If you see a box get data wiped from it, you might want to start looking into who has a grudge with you or your users. Sure, there could be some random, malicious person who rm -rf /* a box, but I have come to know that is far and few between... usually some script kiddie who thinks someone is on to him and has no idea how to clean log files.
    Perhaps.

    I've been following security for over 6 years.
    I remember when bugtraq used to be good.
    Keeping programs up-to-date does not make one a system administration (or security) expert.

    My attitude isn't meant to insult you, it's just one of little hope when looking at the security of 95% (random figure) of hosting companies.
    I think he was talking about posting publicly saying he was incompetent basically, and was vulnerable. Wrong and he looks incompetent. Right and you just told 15,000 members and a few thousand random non-members viewing the forum that he's an open target.

  16. #41
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    12,052
    Originally posted by Tim_Greer

    I think he was talking about posting publicly saying he was incompetent basically, and was vulnerable. Wrong and he looks incompetent. Right and you just told 15,000 members and a few thousand random non-members viewing the forum that he's an open target.
    I'm not limiting my critic to that.
    He didn't saw how do I have configured sshd_config, if I have it patched or not, he don't have a clue of how that box has been configurated.
    He was just misinforming with inacurated information about a box that he never used, and even if it were true that the box its vulnerable, he show a lack of common sense in post a message like that in a public forum with 15000+ members.
    I expect an apologies from clocker, and downtownhost.com removed from this thread.
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  17. #42
    Join Date
    Jan 2002
    Posts
    574
    Originally posted by Jedito
    Oh really? you don't see anything wrong with your attitude?
    You exposed to a possible security hole in a public forum with more than 15.000 members at more than 5 host, because you wanted to play to "hey, I read securityfocus.com, I'm really smart, and those host do not upgrade their deamons, they are insecure, hehehe".
    Again, I'll apreciate if you remove downtownhost.com from your misinforming message, and I suggest to read more before to post a message like this, it really make you look as a fool.
    When did I say any of that?

    When did I post about any company being insecure?

    That is, if you are referring to me, which it seems you are due to the "attitude" portion of your message.

  18. #43
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Last edited by Tim Greer; 07-13-2002 at 12:29 AM.

  19. #44
    Join Date
    Jul 2002
    Posts
    3,734
    I think everyone's getting confused over usernames here.

    clocker1996 was the one who started the thread, not Clockwork.


  20. #45
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Originally posted by lightnin
    I think everyone's getting confused over usernames here.

    clocker1996 was the one who started the thread, not Clockwork.

    :)
    That explains some, thanks.

  21. #46
    Join Date
    Jan 2002
    Posts
    574
    Originally posted by Tim_Greer


    Keeping programs up-to-date does not make one a system administration expert.
    I agree, but I have a feeling you are saying I consider myself an expert, which I do not consider myself. I am wary of anyone who refers to themselves as an expert in fact.
    Keeping programs up to date is just common sense, even on your home computers.



    What policies, to whom, and what do you mean?
    I won't say with whom, but i've tried getting packet filtering (not ipfw/iptables, an external box such as checkpoint fw1), network instrusion detection (tied into firewalling), host-based IDS, getting rid of services that have security issues more often than i'd like (replacing them with alternatives).
    And setting up rules for giving out information.
    Have people follow a set number of rules when changing software (make sure it doesn't have holes).
    And so on.


    What Apache security issue and SuEXEC and what wasn't easy?
    The upgrade itself was fine, it was the backlash from clients I witnessed. Even though most of the files with world write/execute perms were changed shortly after the "upgrade" people just kept doing things the same old way and complaining it did not work (The README told me to chmod 777!, etc).



    What's good for security and what changes and what problems are you talking about?
    Making changes for the better of security.
    Changes would be moving away from how the other hosting companies do things, the vast majority.
    I was with company A, and this is how they had things setup.. and company B i was with did the same thing, but you, company C, want me to do it this way? It just doesn't make sense to them since they can't (most of them) comprehend that the changes of a benefit.
    Do you follow at all?

    Just take replacing FTP with scp. I'm sure a company only offering scp as a way to upload data isn't going to get many customers.


    Keeping programs up-to-date does not make one a system administration (or security) expert.
    I agree too, but again, I have this feeling you think i'm claiming i'm a security expert. I am not. It's just common sense as I said above.


    I think he was talking about posting publicly saying he was incompetent basically, and was vulnerable. Wrong and he looks incompetent. Right and you just told 15,000 members and a few thousand random non-members viewing the forum that he's an open target.
    Please elaborate on that, I have no idea what this means.

    Thanks Tim.

  22. #47
    Join Date
    Jan 2002
    Posts
    574
    Why do I have a feeling you guys are confusing me with clocker1996 ?

  23. #48
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Originally posted by clockwork
    Why do I have a feeling you guys are confusing me with clocker1996 ?
    I did, sorry. I was wondering how he suddenly was doing system administration for 4 years and watching security lists for 6. My mistake.

  24. #49
    Join Date
    Mar 2001
    Location
    Downunder..
    Posts
    2,612
    lol Tim

  25. #50
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,977
    Originally posted by Tim_Greer


    I did, sorry. I was wondering how he suddenly was doing system administration for 4 years and watching security lists for 6. My mistake.

    *bookmarks post*

    This is possibly one of Tim's shortest posts

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •