LinuxQuestions.org - Blogs - unSpawn

Logwatch, webserver logs, PHP malarky

unSpawn — Sat, 03 Oct 2009 09:52:02 GMT

As I'm seeing more questions about (badly coded) web applications spawning rogue processes I wonder why people don't read their logs. Attacks require reconnaissance so keeping an eye on anything that looks like a prelude enables you to take measures. And please spend time updating when updates are released, installing apps properly (like not leaving the installation files around when docs remind you not to), hardening (any IDS, mod_security, Gotroot rulesets, mod_evasive or equivalent, PHPIDS, Suhosin, GreenSQL).
If you have any questions regarding this please ask them in the LQ Linux Security forum. We'd be happy to help you along.

Finding preludes to attacks by visual inspection of logfiles is cumbersome and tedious and that's why there is Logwatch to help you as it creates reports you can actually read. Logwatch unfortunately doesn't by default include rules to filter common crack signs like gotroot's mod_security/rootkits.conf but that's easily alleviated.

Locate your scripts/services/http file (might be "/usr/share/logwatch/scripts/services/http" if it's a default installation) and patch it with this:

Code:

--- http     2008-06-30 22:47:20.000000000
+++ http     2009-10-02 00:00:00.000000000
@@ -334,6 +334,45 @@
    'shtml\.exe',
    'win\.ini',
    'xxxxxxxxxxxxxxxxxxxxxx',
+   'wget%20',
+   'perl%20',
+   'nc%20',
+   'cd%20',
+   'python%20',
+   'rpm%20',
+   'yum%20',
+   'apt-get%20',
+   'emerge%20',
+   'lynx%20',
+   'links%20',
+   'mkdir%20',
+   'elinks%20',
+   'cmd%20',
+   'wget%20',
+   'lwp-download%20',
+   'lwp-request%20',
+   'lwp-mirror%20',
+   'lwp-rget%20',   
+   'uname',
+   'cvs%20',
+   'svn%20',
+   'sh%20',
+   'netstat',
+   'netcat%20',
+   'rexec%20',
+   'smbclient%20',
+   'tftp%20',   
+   'ftp%20',
+   'ncftp%20',
+   'curl%20',
+   'telnet%20',
+   'gcc%20',
+   'cc%20',
+   'whoami',
+   'killall',
+   'kill%20',
+   'rm%20',
+   'tar%20',
 );
 
 #

If there's lines in your webservers logs your Logwatch report will show:

Code:

 Attempts to use known hacks by 5 hosts were logged 35 time(s) from:
    000.0.0.0: 16 Time(s)
       uname 7 Time(s) 
       tar%20 1 Time(s) 
       cd%20 2 Time(s) 
       perl%20 1 Time(s) 
       wget%20 4 Time(s) 
       rm%20 1 Time(s) 
    000.0.0.0: 10 Time(s)
       cd%20 2 Time(s) 
       perl%20 2 Time(s) 
       wget%20 4 Time(s) 
       rm%20 2 Time(s)

which should be your cue to investigate things immediately.

Note this is a patch against a checkout of the Logwatch CVS. If patching fails (always try testing with --dry-run and the appropriate amount of --fuzz) then check the code at around line 300 between the line starting with "my @exploits = (" and "# Define some useful RE paterns".

Also note that Logwatch takes the --service arg so you could run Logwatch as a daily cronjob on all logs (which will be slow if you've got lots of logs) and something like 'logwatch --detail High --service http --range Today' as a hourly cronjob.

Rootkit Hunter 1.3.5-dev progress

unSpawn — Wed, 05 Aug 2009 14:47:13 GMT

Take a peak at RKH's SF CVS stats and you will see that activity picked up again. Currently the RKH 1.3.5(-dev) Changelog (rev1.119) lists 16 bugfixes, 13 new items, 14 changes and counting.

It was a bit sad to notice some of the existing signatures were incomplete though. And while everyone knows breaches of security "the old school rootkit way" have dropped to nil, RKH aims to be complete. So I'll be replaying rootkit installs again and working on improving rootkit checks until it's release time (RSN).

You are invited to test the CVS tarball. Just get it with 'wget http://rkhunter.sourceforge.net/rkhunter-CVS.tar.gz' (if you already installed RKH please install in a different location) and please post problems/questions in the rkhunter-users mailing list.

If you choose to tangibly support RKH development: my gratitude!

Eiciel .spec

unSpawn — Thu, 09 Jul 2009 11:46:38 GMT

Eiciel allows you to visually edit file ACL entries. You can add and remove users and groups who will be granted permissions through the graphical interface. Eiciel can be used as stand-alone application and as Nautilus extension.

ACL: http://bestbits.at
Eiciel: http://rofi.roger-ferrer.org/eiciel/
Also-see: http://www.cs.bham.ac.uk/~nrs/jfacl/ (Java-based UI)

I didn't see no package but I know it is in Fedora-extras, I just didn't want to rebuild it.

Code:

# No debuginfo:
%define debug_packages	%{nil}
%define debug_package %{nil}
#
%define name eiciel
# Version
%define ver 0.9.6.1
# Release
%define rel 1

Name: %{name}
Summary: %{name} allows you to visually edit file ACL entries.
Version: %{ver}
Release: %{rel}
License: GPL
Group: Utilities/System
Source: %{name}-%{ver}.tar.bz2
Provides: %{name}
Vendor: rofi.roger-ferrer.org
URL: http://rofi.roger-ferrer.org/eiciel/
BuildRoot: %{_tmppath}/%{name}-%{version}
Prefix: /usr

%description 
Eiciel allows you to visually edit file ACL entries. You can add and remove users and groups 
who will be granted permissions through the graphical interface. Eiciel can be used as 
stand-alone application and as Nautilus extension.

%prep
%setup -n %{name}-%{version}

%build

%configure

make

%install
if [ "$RPM_BUILD_ROOT" = "%{_tmppath}/%{name}-%{version}" ]; then
	rm -rf $RPM_BUILD_ROOT

	make DESTDIR=$RPM_BUILD_ROOT install
else
	echo "Invalid Build root "${RPM_BUILD_ROOT}"."
	exit 1
fi

find $RPM_BUILD_ROOT -not -type d | sed -e "s|$RPM_BUILD_ROOT||g" -e "s|man[A-Z0-9]/.*$|\0.gz|g" > autofillfiles


%clean
if [ "$RPM_BUILD_ROOT" = "%{_tmppath}/%{name}-%{version}" ]; then
	rm -rf $RPM_BUILD_ROOT
else
	echo "Invalid Build root "${RPM_BUILD_ROOT}"."
	exit 1
fi

# Auto-fill files
%files -f autofillfiles


%changelog
* Thu Jul 09 2009 unSpawn -
- Init .spec file.

* Note: as this is GNOME territory the buildreqs (+deps) include: "alsa-lib-devel atk-devel audiofile-devel cairo-devel cairomm-devel dbus-devel dbus-glib-devel esound-devel fontconfig-devel freetype-devel GConf2-devel glibmm24-devel gnome-keyring-devel gnome-vfs2-devel gtk2-devel gtkmm24-devel hal-devel libart_lgpl-devel libbonobo-devel libbonoboui-devel libgcrypt-devel libglade2-devel libgnomecanvas-devel libgnome-devel libgnomeui-devel libgpg-error-devel libICE-devel libIDL-devel libpng-devel libsigc++20-devel libSM-devel libX11-devel libXau-devel libXcursor-devel libXdmcp-devel libXext-devel libXfixes-devel libXft-devel libXi-devel libXinerama-devel libxml2-devel libXrandr-devel libXrender-devel libxslt-devel mesa-libGL-devel nautilus-devel ORBit2-devel pango-devel xorg-x11-proto-devel" on Centos 5.3 that is. Having a list makes it less bothersome to add/remove I hope. Also note that if you find a bug in or need help with eiciel you should contact the developer, not me.

Torsocks .spec

unSpawn — Fri, 03 Jul 2009 10:07:46 GMT

Torsocks: http://code.google.com/p/torsocks/

Code:

# No debuginfo:
%define debug_packages	%{nil}
%define debug_package %{nil}
#
%define name torsocks
%define ver 1.0
%define rel 1
%define buildver %{ver}-gamma
#
# Configuration switches for rebuilding (1=yes 0=no).
# Force dns lookups to use tcp? (config switch --enable-socksdns)
%define enablesocksdns 0
%{?build_enablesocksdns:%define enablesocksdns 1}
# Don't override name lookup calls to use SOCKS? (config switch --disable-tordns)
%define disabletordns 0
%{?build_disabletordns:%define disabletordns 1}
# Use the old method to override connect? (config switch --enable-oldmethod)
%define enableoldmethod 0
%{?build_enableoldmethod:%define enableoldmethod 1}
# Enable hostname lookups for socks servers? (config switch --enable-hostnames)
%define enablehostnames 0
%{?build_enablehostnames:%define build_enablehostnames 1}
# Do not allow TSOCKS_CONF_FILE to specify configuration file? (config switch --disable-envconf)
%define disableenvconf 0
%{?build_disableenvconf:%define 1}
#
# Be standards compliant, don't break relocation and avoid necessity for configure switches.
%define _prefix /usr/local
%define _sysconfdir /usr/local/etc
%define _libdir /usr/local/lib
%define _docdir /usr/local/share/doc
%define _mandir /usr/local/share/man
%define _bindir /usr/local/bin
%define _sbindir /usr/local/sbin
#
Name: %{name}
Summary: %{name}, use applications with Tor.
Version: %{ver}
Release: %{rel}
License: GPL
Group: Utilities/System
Source: %{name}-%{buildver}.tar.gz
Prereq: tor
Provides: %{name}
Buildarch: noarch
Vendor: Robert Hogan and Ruben Garcia
URL: http://code.google.com/p/torsocks
BuildRoot: %{_tmppath}/%{name}-%{version}
Prefix: /usr/local

%description
%{name} allows you to use most socks-friendly applications in a safe way with Tor.

This is a fork of the tsocks project (http://sourceforge.net/project/
showfiles.php?group_id=17338). The purpose of this fork is to maintain a
working implementation of tsocks that is primarily useful for Tor.

%prep
%setup -n %{name}-%{buildver}

%build
%configure \
%if %{enablesocksdns}
 --enable-socksdns \
%endif
%if %{disabletordns}
 --disable-tordns \
%endif
%if %{enableoldmethod}
 --enable-oldmethod \
%endif
%if %{enablehostnames}
 --enable-hostnames \
%endif
%if %{disableenvconf}
 --disable-envconf \
%endif
make

%install
if [ "$RPM_BUILD_ROOT" = "%{_tmppath}/%{name}-%{ver}" ]; then
	rm -rf $RPM_BUILD_ROOT
	make DESTDIR=$RPM_BUILD_ROOT install
else
	echo "Invalid Build root "${RPM_BUILD_ROOT}"."
	exit 1
fi
find $RPM_BUILD_ROOT -not -type d | sed -e "s|$RPM_BUILD_ROOT||g" > autofillfiles
						
%clean
if [ "$RPM_BUILD_ROOT" = "%{_tmppath}/%{name}-%{ver}" ]; then
	rm -rf $RPM_BUILD_ROOT
else
	echo "Invalid Build root "${RPM_BUILD_ROOT}"."
	exit 1
fi

%files -f autofillfiles

%changelog
* Thu Jul 03 2009 unSpawn -
- Init .spec file.
- Build version with "--define='build_enablesocksdns=1'".

* To work the compile-time switches just use --define like: 'rpmbuild -bb --define='build_enablesocksdns=1' --define='build_enablehostnames=0' torsocks.spec'.

Non-authoritative scan results of BitDefender, ClamAV and F-prot

unSpawn — Thu, 02 Jul 2009 00:35:54 GMT

Like before here's some results of running BitDefender, ClamAV and F-prot on over 11K of files containing Rootkits, LKM's and other goodies. Because of what I do most of the files are GNU/Linux related. (I run AV like a pentester would run metasploit against a networked entity.) I'm well aware of the AV-on-GNU/Linux-yes-or-no debate and this is not the place to go into that: search LQ or open up a thread if you need to discuss validity.

The commercial AV market is kind of an odd place (to put it politely), and products that don't (have the inclination, licensing or resources to) play along, well, show it. That doesn't mean I don't respect ClamAV developers for what they've brought us in terms of OSS. The only thing I hope these results emphasise is that you should make your own informed decision. This goes especially for those that choose to promote just one product without realising the effects of doing so.

Files scanned:
BDC: 65525
F-prot: 65253
ClamAV: 220

Infected found:
BDC: 1641 (0 suspects)
F-prot: 1158 (19 files with errors)
ClamAV: 19

Old rootkit material:
sauber (T0rnkit), modhide.o (Knark), relink (Adore)
BDC: Y Y Y
F-prot: Y Y Y
ClamAV: N N N

2.6 LKMs: Override, Intoxonia-NG, EnyeLKM, Mood-NT:
BDC: N N N N
F-prot: N N N N
ClamAV: N N N N

Misc: boxer (obfuscated ELF), OSXrk (Mac), Fbrk (BSD), Vlogger (keylogger):
BDC: N Y Y Y
F-prot: N Y Y Y
ClamAV: N N N N

Malware: PHP mass mailer, r57shell, C99Shell, C99Shell other version, I-Frame Trojan:
BDC: Y Y Y Y Y Y
F-prot: Y Y Y Y Y Y
ClamAV: N N N N N Y

App/engine version info:
BDC: v7.90123 Linux-i586
F-prot: version 6.2.1.4252, engine version: 4.4.4.56
ClamAV: 0.95.2/9532

Commandline:
BDC: --action=ignore --recursive-level=100 --archive-level=100 --no-list
F-prot: --boot --follow --mount --maxdepth=60 --heurlevel=3 --archive=10 --adware --applications --verbose=2
ClamAV: --verbose --remove=no --tempdir=/dev/shm --detect-pua=yes --detect-structured=yes --scan-mail=yes --phishing-scan-urls=yes --heuristic-scan-precedence=yes --algorithmic-detection=yes --scan-pe=yes --scan-elf=yes --scan-ole2=yes --scan-pdf=yes --scan-html=yes --scan-archive=yes --detect-broken=yes --block-encrypted=no --mail-follow-urls=no

Scan time (MM:SS):
BDC: 05:56
F-prot: 01:52
ClamAV: 40.85

Rootkit Hunter announces release 1.3.4

unSpawn — Tue, 30 Dec 2008 23:23:52 GMT

Finally Rootkit Hunter release 1.3.4 is here listing 4 additions, 8 changes and 9 bugfixes. Thanks to all contributors who made this release possible by providing code, submitting ideas, bugs, fixes, documentation, testing from CVS, helping out on the rkhunter-users mailing list and promoting Rootkit Hunter.
Even though it's a given by now, the project wouldn't be going anywhere without John Horne...

Sjeng xboard / eboard compatible chess engine .spec

unSpawn — Wed, 26 Mar 2008 02:27:13 GMT

Sjeng: http://www.sjeng.org/
Xboard: http://www.tim-mann.org/xboard.html
Eboard: http://eboard.sourceforge.net/

Code:

%define origname Sjeng-Free-11.2
%define name sjeng
%define ver 11.2
%define rel 1
%define debug_packages	%{nil}
%define debug_package %{nil}

Name: %{name}
Summary: %{name}, a xboard compatible chess engine
Version: %{ver}
Release: %{rel}
License: GPL
Group: Amusements/Games
Source0: %{origname}.tar.gz
Prereq: xboard
Provides: %{name}
Buildarch: noarch
Vendor: Gian-Carlo Pascutto
URL: http://www.sjeng.org/
BuildRoot: %{_tmppath}/%{name}-%{version}

%description
Sjeng is a xboard compatible chess engine. Sjeng currently plays
standard chess, crazyhouse, bughouse, suicide (aka giveaway or 
anti-chess) and losers. It can also play variants which have the 
same rules as normal chess, but a different starting position. 

Technically, Sjeng is a highly advanced alpha-beta searcher, 
using modern techniques like history and killer moves, 
transposition tables, SEE move ordering and pruning, and 
search enhancements like selective extensions, Aspiration 
Principal Variation Search, Adaptive nullmove pruning, 
Extended Futility Pruning and Limited Razoring. Sjeng can 
use an opening book and learns from the games it plays. 

On 14th of October 2000, Sjeng won it's first title
by becoming the World Computer Crazyhouse Chess Champion.

On December 31th 2000, Sjeng became the first computer
program to reach the #1 spot on the crazyhouse rating list
on the Free Internet Chess Server. It had been #1 on the
Internet Chess Club before.

Early 2001 Sjeng became the #1 losers/giveaway player
on the Internet Chess Club.

%prep
%setup -n %{origname}

%build
./configure --prefix=$RPM_BUILD_ROOT/usr/local
make

%install
if [ "$RPM_BUILD_ROOT" = "%{_tmppath}/%{name}-%{version}" ]; then
	rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/usr/local/bin
make install
install %{name} -m 0755 $RPM_BUILD_ROOT/usr/local/bin/%{name}
# Yes, I should make a .desktop file...
cat << EOC > $RPM_BUILD_ROOT/usr/local/bin/%{name}.sh
#!/bin/sh
exec xboard -fcp /usr/local/bin/%{name}
exit 0
EOC
else
	echo "Invalid Build root \'"$RPM_BUILD_ROOT"\'"
	exit 1
fi
						
%clean
if [ "$RPM_BUILD_ROOT" = "%{_tmppath}/%{name}-%{version}" ]; then
	rm -rf $RPM_BUILD_ROOT
else
	echo "Invalid Build root \'"$RPM_BUILD_ROOT"\'"
	exit 1
fi

%define _docdir /usr/local/share/doc

%files
%defattr(-,root,root)
%doc AUTHORS BUGS ChangeLog COPYING INSTALL NEWS README THANKS TODO 
%attr(755,root,root) /usr/local/bin/%{name}
%attr(755,root,root) /usr/local/bin/%{name}.sh

%changelog
* Wed Mar 26 2008 unSpawn -
- initial .spec.
- patch Makefile.

FUSE CopyFS .spec

unSpawn — Sun, 23 Mar 2008 23:32:44 GMT

FUSE: http://fuse.sourceforge.net
CopyFS: http://n0x.org/copyfs/

Code:

%define origname copyfs
%define name fuse-copyfs
%define ver 1.0.1
%define rel 1
%define debug_packages	%{nil}
%define debug_package %{nil}

Name: %{name}
Summary: %{name}, a copy-on-write, versioned filesystem using FUSE 
Version: %{ver}
Release: %{rel}
License: GPL
Group: Utilities/System
Source0: %{origname}-%{ver}.tar.bz2
# "copyfs.html" is a copy of the sites HTML.
Source1: %{origname}.html
Prereq: kernel >= 2.6.14, fuse >= 2.7.3, libattr >= 2.4.32
Provides: %{name}
Buildarch: noarch
Vendor: Nicolas Vigier / Thomas Joubert
URL: http://n0x.org/copyfs/
BuildRoot: %{_tmppath}/%{name}-%{version}
BuildRequires: fuse-devel >= 2.7.3, libattr-devel >= 2.4.32

%description
CopyFS aims to solve a common problem : given a directory, especially
one full of configuration files, or other files that one can modify,
and which can affect the functionning of a system, or of programs, 
that may be important to other users (or to the user himself), how
to be sure that a person modifying the files will do a backup of the
working version first? Based on FUSE, the userspace filesystem frame-
work for Linux, see http://fuse.sourceforge.net.

%prep
%setup -n %{origname}-%{ver}
cp $RPM_SOURCE_DIR/%{origname}.html .

%build
%configure --prefix=/usr/local
make

%install
if [ "$RPM_BUILD_ROOT" = "%{_tmppath}/%{name}-%{version}" ]; then
	rm -rf $RPM_BUILD_ROOT
	#make install
	install -d $RPM_BUILD_ROOT/usr/local/bin
	install -d $RPM_BUILD_ROOT/usr/local/share/man/man1
	install -m 755 copyfs-daemon $RPM_BUILD_ROOT/usr/local/bin
	install -m 755 copyfs-mount copyfs-fversion $RPM_BUILD_ROOT/usr/local/bin
	install -m 644 copyfs.1 copyfs-daemon.1 copyfs-mount.1 copyfs-fversion.1 $RPM_BUILD_ROOT/usr/local/share/man/man1
else
	echo "Invalid Build root \'"$RPM_BUILD_ROOT"\'"
	exit 1
fi
						
%clean
if [ "$RPM_BUILD_ROOT" = "%{_tmppath}/%{name}-%{version}" ]; then
	rm -rf $RPM_BUILD_ROOT
else
	echo "Invalid Build root \'"$RPM_BUILD_ROOT"\'"
	exit 1
fi

%files
%defattr(-,root,root)
%doc README TODO COPYING %{origname}.html
%attr(755,root,root) /usr/local/bin/copyfs-daemon
%attr(755,root,root) /usr/local/bin/copyfs-mount
%attr(755,root,root) /usr/local/bin/copyfs-fversion
%attr(644,root,root) /usr/local/share/man/man1/copyfs.1
%attr(644,root,root) /usr/local/share/man/man1/copyfs-daemon.1
%attr(644,root,root) /usr/local/share/man/man1/copyfs-mount.1
%attr(644,root,root) /usr/local/share/man/man1/copyfs-fversion.1

%changelog
* Sun Mar 23 2008 unSpawn -
- Initial .spec file.

Rootkit Hunter 1.3.2 release imminent...

unSpawn — Tue, 26 Feb 2008 02:38:00 GMT

The team will be releasing RKH-1.3.2, which will fix aprox 10-ish bugs, RSN.

I thank all the contributors on our rkhunter-users mailing list and all who submitted bugs and patches to our bug tracker. I thank John again for his dedication and work on RKH and Aus9 for his work on the RKH Wiki page at LQ, documentation and persistence in general. I also like to thank the anonymous crowd that managed to D/L RKH from SF over the months. (I still find it weird that if you look below the varnish that is OSS' mantra's of "freedom" and "many eyeballs" you'll find only a few people ever manage to contribute. Oh well.)

Anyway.

Here's to those that did *make* a difference.

Ext3cow implements secure deletion, authenticated encryption, and incremental authentication.

unSpawn — Fri, 08 Feb 2008 13:06:26 GMT

"Ext3cow is an open-source, versioning file system based on ext3. It provides a time-shifting interface that allows a real-time and continuous view of the past. This allows users to access their file system as it appeared at any point in time. Ext3cow was designed as a platform for regulatory compliance, and has been used to implement secure deletion, authenticated encryption, and incremental authentication."

Some advantages of ext3cow:
- It does not pollute the name space with named versions
- It has low storage and performance overhead
- It is totally modular, requiring no changes to kernel or VFS interfaces

http://www.ext3cow.com/

The Problem With PHP Application Security

unSpawn — Tue, 23 Jan 2007 00:35:12 GMT

One of the topics sadly not exhausted. Please chip in if you want to discuss this in a meaningful way: http://www.linuxquestions.org/questions/showthread.php?p=2598001.

...in other security-related news today

unSpawn — Mon, 08 Jan 2007 20:38:23 GMT

1168038000, death of Momofuku Ando, famous for inventing Instant Ramen which lead to Ramen.

The Rootkit Hunter is looking for C/C++ developers

unSpawn — Wed, 22 Nov 2006 18:40:12 GMT

We're looking for developers who have C/C++, experience developing applications on POSIX-based systems and an understanding of shell scripts, work together as a team and who can dedicate time on a more or less regular basis.

If you want to help develop Rootkit Hunter or like more information please contact me.

YAWLINRFTWA

unSpawn — Sun, 05 Nov 2006 15:26:11 GMT

"yet another why Linux is not ready for the world article"

Ask not what GNU/Linux can do for you, but what you can do for GNU/Linux.
GNU/Linux users have an obligation because of using FOSS: active and constructive participation in the FOSS ecology. Not doing so means consumerism, which in essence is egotistical and a shallow and destructive movement. Anyone who says GNU/Linux should do "better" and does not put in any substantial and constructive effort to make it "better" does not understand FOSS.

Non-authoritative scan results of BitDefender, ClamAV, F-prot and NOD32

unSpawn — Sat, 14 Oct 2006 09:41:04 GMT

Here's some scan results of running BitDefender, ClamAV, F-prot and NOD32 on a stash of aproximately 10K files containing a mixed set of Root kits, LKM's, tools and w32 goodies:
Files scanned: BDC: 12113, NOD32: 11000, F-prot: 9375, ClamAV: 9280.
Threats / infected + suspected files found: BDC: 537, NOD32: 421, F-prot: 366, ClamAV: 150.

More details here: http://www.linuxquestions.org/questions/showthread.php?t=491870