WordPress Exploit Scanner
If you are like me, you want to make sure that the software you run is as secure as possible. My partners and I even subscribe to several third party services that actually scan our servers looking for exploits that could be taken advantage of by hackers or script kiddies. Since one of the most frequent CMS solutions we use is WordPress, this plugin caught my attention.
The WordPress Exploit Scanner is a plugin that searches the files and database of your website for signs of suspicious activity. While it won’t stop someone hacking into your site, it may help you find any uploaded or compromised files left by the hacker on previous attempts. It can also help you identify any weaknesses that you might have so you can harden your installation.
Here’s a little bit more on the Exploit Scanner plugin if you are interested:
When a website is compromised, hackers leave behind scripts and modified content that can be found by manually searching through all the files on a site. Some of the methods used to hide their code or spam links are obvious, like using CSS to hide text, and we can search for those strings.
The database can also be used to hide content or be used to run code. Spam links are sometimes added to blog posts and comments. They’re hidden by CSS so visitors don’t see them, but search engines do. Recently, hackers took advantage of the WP plugin system to run their own malicious code. They uploaded files with the extensions of image files and added them to the list of active plugins. So, despite the fact that the file didn’t have a .php file extension, the code in them was still able to run!
You can download this plugin here: http://ocaoimh.ie/exploit-scanner/
UNIX System Monitoring
Matt Critcher recently posted a review of Monit on his blog. We have been trying it out as a monitoring solution on our servers at Pleth. I get the impression from Matt’s post that he likes the software pretty well, I know he’s not a big fan of any kind of bloated software.
I checked Monit’s website this morning and was very impressed to see that they also have a free iPhone application that will allow you to track your systems from your phone. How cool is that? The software itself is also pretty cool. Monit can start a process, restart a process if it does not respond and stop a process if it uses too much resources.
Being a developer, one thing that I can see might be useful is that Monit also allows you to monitor files, directories and filesystems for changes, such as timestamp changes, checksum changes or size changes. There are several other solutions out there that will all you to track remote hosts also but they don’t have all of the functionality that monit has I don’t think. With Monit you can monitor remote hosts; and ping a remote host and can check TCP/IP port connections and server protocols.
I can remember a few years back I installed a similar solution to this on one our first servers for the purpose of tracking uptime and posting it on our website, it was a nice solution but it had so many security revisions with it that we eventually decided the risk wasn’t worth it in the long run. I can’t remember the name of the software we were using but I am sure it’s gone away by now… Here’s what Matt had to say about Monit on his blog:
When you maintain several servers each running several virtual machines and have anything else at all to do, it is impossible to keep your eyes on them 100% of the time. There are a handful of software packages out there that can do this for you, but most are either too bulky, too complicated, or lack the features that you want.
Scott Pinkston referred me to one the other day called Monit, which is the first one of these programs that I actually liked. Most of the others just have too much. This one is short, and to the point. Monit installs very quickly, and runs in the background as a daemon.
One very simple config file holds the configuration data for the services you want to monitor, and if you so choose, you can have a secure webpage display stats on your services. It can also be configured to email you (or call the beeper, etc…) if certain events occur, and best of all, is super lightweight. It won’t tell you if your version of apache needs updated and it won’t impress you with tons of buttons, whistles, and flash animations. But it will let you know if some process is running away, and it will kill it for you (and restart it if you have it configured)
So far, we have NO complaints. It’s licensed under the GPL, and they also sell a version (which we haven’t tried) that can monitor multiple servers from one central login for around $135.
Here’s a screenshot of Monit that I found on their website, looks pretty straightforward to me…
UNIX System Monitoring | www.mcritch.com
Ruby on Rails Vulnerability
So apparently there was a XSS vulnerability patched yesterday in Ruby on Rails that affected Twitter and Basecamp. The spin that a lot of people are trying to put on this story is that IE8 was immune to the cross site scripting vulnerability but I think that the focus should be put on the fact that Ruby, while powerful and extremely popular, is still somewhat new and things like this are just going to happen until it matures.
A cross-site scripting (XSS) vulnerability that was patched on Thursday in Ruby on Rails affected several widely-used Web services including the popular Twitter microblogging Web site and Basecamp, a project management tool created by 37Signals from which the Ruby on Rails framework originated.
Security researcher Brian Mastenbrook uncovered the bug when he was conducting a serendipitous test of unicode handling in Twitter. He discovered that he could circumvent the site’s string sanitization mechanism and inject a JavaScript payload. It falls into the category of a non-persistent or "type 1" XSS vulnerability.
"After seeing a bug in Unicode handling in an unrelated program a few weeks ago, I suddenly had an idea: ‘I wonder if there are any web applications which have Unicode handling problems that might be security issues?’," Mastenbrook wrote in a blog entry. "My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of."
When he was able to reproduce the glitch at Basecamp, he began to suspect that the flaw was inherent to Ruby on Rails, the popular Web framework used by both Web sites. He attempted to contact Twitter and 37Signals to get further assistance in isolating the bug. After conclusively determining that Rails was the source, he provided the relevant information to the Rails team so that they could address the issue.
The vulnerability was disclosed to the public on Thursday when the Rails team published a patch. According to the relevant Rails security bulletin, the issue affects all versions of Rails 2.0. New 2.3.4 and 2.2.3 releases have been issued with the fix rolled in. Users of prior series are encouraged to apply the patch themselves.
In his blog entry, he describes the process that he used to responsibly disclose the vulnerability to the major affected Web site operators. His interaction with the Twitter and Rails developers went smoothly, but he complains that 37Signals was dismissive and unresponsive. He criticizes the company for touting its security while failing to provide an appropriate channel for researchers to report vulnerabilities.
Another issue that he discusses in his blog entry is how XSS vulnerabilities can be mitigated by various tools. He praises Microsoft’s Internet Explorer 8 Web browser which was immune to the vulnerability he discovered thanks to its built-in cross-site scripting filter. He strongly endorses the concept and says that other browser vendors should adopt it.
Ruby on Rails vulnerability affects Twitter; IE8 immune – Ars Technica
Thoughts on Hacked Facebook Accounts & Security
This morning I noticed that a few of my friends had their Facebook accounts compromised over the weekend. Granted, this is not uncommon, and for the most part your friends will understand, but it’s still a nuisance.
As a result of this weekends breakout, I had a couple of people ask me to do a blog post on Facebook security since social media consulting is one of my areas of expertise, so here goes. If you have any questions, please feel free to comment them below or on my facebook wall. I will be glad to help out however I can to ensure you have a safe and enjoyable Facebook experience.
If you have already been compromised:
If you have already been compromised, you need to reset your Facebook password immediately. You can do this by clicking on the “Forgot Your Password” link on the login page or by going to the Account Settings page once logged in. If you can’t reset the password on your account because the email address you use to log in has been changed, or if your account has been disabled, contact the Facebook Operations Team. Also, since a lot of the Facebook hacks are often accompanied by malware, you should run a virus scan on your computer. I am not a big fan of free virus scanners, but use whatever you would like to scan your machine.
If one of your friends has been compromised:
If you have a friend that has been compromised, you can direct them to this blog post, or you can point them to Facebook’s Security Page, click here. You might also be a good Samaritan and warn those who received the spam not to click on it, and to delete it from their Walls and Inboxes immediately. By warning others you slow down the potential risk of the attack spreading.
If you are suspicious that your account has been compromised:
If you are suspicious that your account has been compromised, or if you accidentally clicked on a link that was posted by an infected account and want to make sure that you weren’t compromised, you can go here to make sure you are okay.
Common Threats
There are a lot of common threats out there, and these threats will change over time as security is tightened up, that’s just the nature of the internet. Here are a few recognized threats posted by Facebook:
Fake Notification Emails
Look out for fake emails that look like they came from Facebook. These typically include links to phony pages that attempt to steal your login information or prompt you to download malware. Never click on links in suspicious emails.Suspicious Posts and Messages
Be wary of strange Wall posts and messages, even if they’re from friends. These will usually ask you to click on a link, sometimes to check out a new photo or video that doesn’t actually exist. The link is typically for a phony login page or malware site.419 Scams
Watch out for messages from friends or others claiming to be stranded and asking for money. These messages are typically from scammers. If you have received a message like this, or one has been sent from your account without your permission, please contact us so that we can make sure your and your friends’ accounts are secure.The Koobface Worm
If your account has been used to send spam, and you think your computer is infected with the “Koobface” worm or another virus, please visit one of the online anti-virus scanners from the Helpful Links list, and reset your password.False Chain Letters
Don’t believe messages claiming that Facebook is becoming overpopulated and suggesting that accounts will be deleted. These messages are false and did not come from Mark Zuckerberg or Facebook. They can be safely disregarded and deleted.
Be Proactive when it comes to Security:
By security, I am talking about scams, viruses, and hacks that could infect your computer or your Facebook account and result in a lot of annoyance for you and your friends. When your login information is stolen, this is often known as phishing.
Security isn’t just an issue on Facebook, but all over the web, which is why it’s important to be aware online, and to learn how to protect your accounts and your computer. Here are some ways to be smart and aware that are recommended by Facebook:
- If a link or message seems weird, don’t click on it. This is true of all spam—whether a chain letter, an ad, or a phishing scam. If it seems weird for an old friend to write on your Wall and post a link, that friend may have gotten phished. Let the person know, and don’t click on links you don’t trust.
- Be aware of where you enter your password. Just because a page on the Internet looks like Facebook, it doesn’t mean it is. Learn to tell the difference between a good link and a bad one.
- Report any spam or abuse you see on discussion boards and Walls. Those report links are there for a reason. The sooner we find spam, the sooner we can remove it and eliminate spammers from the site.
- Don’t use the same password on Facebook that you use in other places on the web. If you do this, phishers or hackers who gain access to one of your accounts will easily be able to access your others as well. You might find yourself locked out of your email and even your bank account.
- Never share your password with anyone. Don’t do it. Facebook will never ask for your password through any form of communication. If someone pretending to be a Facebook employee asks you for it, don’t give it out, and report the person immediately.
- Don’t click on links or open attachments in suspicious emails. Fake emails can be very convincing, and hackers can spoof the “From:” address so the email looks like it’s from Facebook. If the email looks weird, don’t trust it, and delete it from your inbox.
- Add a security question. If your login information ever does get stolen, you might need this to prove your identity to Facebook. If you haven’t already done so, you can add a security question from the “Account Settings” page.
- Be wary of unusual stories. If a friend or someone else contacts you claiming to be stranded somewhere and in need of money, verify this through other means, such as by talking to the person over the phone.
- Stay in the Loop by adding Facebook Security as one of your Facebook Friends.
Closing Notes:
I hope that this information has been useful. Facebook can be an awesome tool for reconnecting with friends and loved ones as well as a tool for promoting your business brand, organization, group, or cause. A lot of people initially find fault with Facebook when events such as these take place but I don’t feel as if that should be the case. Facebook is doing their part to fight the ongoing battle of securing their social network, allocating millions of dollars to do so. Here are just a few examples of how they are fighting the good fight:
- http://blog.facebook.com/blog.php?post=107720572130
- http://blog.facebook.com/blog.php?post=81474932130
- http://blog.facebook.com/blog.php?post=68886667130
For more information, please visit: Facebook | Facebook Security
Locking Down Authentication Inside PHPRunner
One of the biggest challenges you face when building hosted applications is how to prevent brute force or guessed password authentications. Especially given the number of warez type applications that are out there that allow unsavory users to do just that. Well, I found a resource on Xlinesoft’s website that demonstrates how to do block a user after three unsuccessful attempts to login to your application.
This schema uses visitors IP address to store log attempts in the database and block access to to the login feature for 30 minutes after the third unsuccessful attempt. This schema involves Events function which is available in ASPRunnerpro 6.0/PHPRunner 5.0, I have reposted the processes involved for PHPRunner below, but you can find the ASPRunner notes here…
Step One:
In MySQL Server run the following script to create table in your database that logs login attempts. The box below demonstrates the MySQL command.
1: CREATE TABLE `LoginAttempts`
2: (
3: `IP` VARCHAR(20) NOT NULL,
4: `Attempts` INT NOT NULL,
5: `LastLogin` DATETIME NOT NULL
6: )
Step Two:
Open your PHPRunner project and go to the security tab and switch on the “Create Login Page” checklist.
Check the Username and password from database option and choose appropriate fields. If you have no table in which all of the login details are stored you have to create it.
Step Three:
Add three global events on the Events tab: BeforeLogin, AfterSuccessfulLogin, AfterUnsuccessfulLogin. Below you will find the PHPRunner example for this:
1: <?
2: function BeforeLogin($username, $password)
3: {
4: //********** Custom code ************
5: // check if this IP address is currently blocked
6: global $conn;
7: $sql = "select Attempts, LastLogin from LoginAttempts where ip = '" . $_SERVER["REMOTE_ADDR"] . "'";
8: $rs = db_query($sql,$conn);
9: $data = db_fetch_array($rs);
10:
11: if (!$data || !strlen($data["LastLogin"]))
12: return true;
13:
14: $atime = db2time($data["LastLogin"]);
15: $time = mktime($atime[3],$atime[4],$atime[5],$atime[1],$atime[2],$atime[0]);
16: $diff = (time()-$time)/60;
17:
18: if ($data["Attempts"]>=3)
19: {
20: if($diff<30)
21: {
22: echo "<p align=center><br><font color=red><b>Access denied for 30 minutes</b> <font></p>";
23: return false;
24: }
25: else
26: {
27: db_exec("update LoginAttempts set Attempts=0 where ip = '" . $_SERVER["REMOTE_ADDR"] . "'",$conn);
28: return true;
29: }
30: }
31: return true;
32: }
33:
34: function AfterSuccessfulLogin()
35: {
36: //********** Custom code ************
37: // clear previous attempts
38:
39: global $conn;
40: db_exec("update LoginAttempts set Attempts=0 where ip = '" . $_SERVER["REMOTE_ADDR"] . "'",$conn);
41:
42: }
43:
44: function AfterUnsuccessfulLogin()
45: //********** Custom code ************
46: // increase number of attempts
47: // set last login attempt timeif required
48: {
49: global $conn;
50: $sql = "select * from LoginAttempts where ip = '" . $_SERVER["REMOTE_ADDR"] . "'";
51: $rs = db_query($sql,$conn);
52: $data = db_fetch_array($rs);
53:
54: if($data)
55: {
56: $attempts = $data["Attempts"]+1;
57:
58: if($attempts==3)
59: db_exec("update LoginAttempts set Attempts=" . $attempts . ", LastLogin=now() where ip = '" .$_SERVER["REMOTE_ADDR"] . "'",$conn);
60: else
61: db_exec("update LoginAttempts set Attempts=" . $attempts . " where ip = '" .$_SERVER["REMOTE_ADDR"] . "'",$conn);
62: }
63: else
64: db_exec("insert into LoginAttempts (Attempts,IP,LastLogin) values (1, '".$_SERVER["REMOTE_ADDR"] . "',NOW())",$conn);
65: }
66: ?>
Step Four:
You should finish the code generation / compiling process and upload your application. It’s important to remember that by doing this, your visitors have to enter their username and password to gain access to the site. After the third unsuccessful login attempt, their IP addresses access will be denied for 30 minutes. When the visitor tries to login when the account is blocked they will see message saying access is denied.
Find out how to do this for ASPRunner also…
——————————————————————
There are a lot of other useful resources outlined for PHPRunner users in the Articles section on Xlinesoft’s website, you can find them here…
Critch on Drupal Security / PCI Compliance
Resident Server Administrator and all around Linux Guru, Matt Critcher, recently posted an entry on his blog about Drupal Security and PCI compliance. Matt has been running Drupal on his site for a while now and it seems to be working out well for him. I always look to Matt for security issues because he has an enormous knowledgebase between his ears when it comes to that sort of thing.
Making your website secure is one thing, but going the extra mile and making it PCI compliant is another thing. In the past I have recommended PCI Compliance only to our clients that do e-commerce, or gather sensitive client data, but it’s rapidly becoming a buzzword in the industry. I first learned about it in 2006 at a conference we attended in Las Vegas.
My business partners and I even partnered with HackerSafe, now owned by Mcafee, to sell PCI compliance solutions and certification to our clients back in 2006. If you are interested in learning more about PCI compliance or securing your website, be sure to give us a shout.
This site is running in a CMS called Drupal. It, like most CMS systems, allows users to easily create, edit, and delete content and manage many features of a website. But, like most, it is not without a few security flaws. Me, being a geek, and having more than a passing interest in security, decided to try to make this site a little more secure, and possibly even PCI Compliant.
It is possible to make Drupal PCI Compliant, but it takes a little work. Now, for the record I don’t have nor do I collect data that falls under this standard, but some people do, and some run Drupal. There’s not much information about the subject on the net, so I figure it’s worth writing about. But be warned that there is a trade-off. By default, Drupal is set up to be more convenient for its users. Putting these modifications in place will make you login EVERY time you close your browser window. To me, that’s not a problem. I actually prefer that to be the case. Others, well, you may not like it as much. YMMV.
First thing that you need to do is to force Drupal to use HTTPS for login. There are tutorials all over the net on how to install mod_ssl or Apache-SSL and configure it for HTTPS traffic, which is a pre-requisite for this. There is currently no drupal module that does just this, but you can get around it using .htaccess. In the root of your website, put the following somewhere in the .htaccess file
You can read the rest of Matt’s post here: Making Drupal More Secure | www.mcritch.com
Turkish Hackers Break Into US Army Servers
Speaking from experience, Turkish hackers are probably some of the most underestimated and resourceful hackers on the planet. My partners and I have been around the block w/ some Turkish hackers in the past and even involved the FBI once during a pretty persistent onslaught and I walked away from that experience pretty impressed with their hacking talents.
Defacing websites and planting rootkits on commercial servers is one thing but hacking into anything belonging to the United States Military is another story altogether. This is an embarrassment and it should make some people drawing a government salary a little bit on edge today. Our government should not stop looking into this breach until they have first apprehended the hacker cell completely and cut off their arms (they are in Turkey after all, this should be okay there), and secondly they should put into place a team of established hackers like Kevin Mitnick, and some of the better ones that have never been caught, and pay them the big bucks to just sit around and try to wiggle their way into our stuff everyday and provide intelligence as to how these things go down.
Here is the story from WHIR about the breach: (and by the way, yes this is the same group that defaced the United Nations website back in 2007)
(WEB HOST INDUSTRY REVIEW) — An anti-American group of hackershave broken into at least two of the US Army’s critical web servers, according to an exclusive report by InformationWeek. Despite the advanced security and antivirus software the Defense department’s has in place, the hackers were able to breach the servers.
The hackers are based in Turkey, which is known to have ties to the al-Qaida network. However, it is still unclear if the group is affiliated in any way with the notorious terrorist organization. The attacks are currently being investigated by the Department of Defense and the US Army’s Judge Advocate General’s Office and Computer Emergency Response Team.
The group, who call themselves the "m0sted", broke into servers at the Army’s McAlester Ammunition Plant in McAlester, Oklahoma on January 26, and previously at the US Army Corps of Engineers’ Transatlantic Center in Winchester, Virginia on September 19, 2007.
In the case of the McAlester Ammunitions plant breach, visitors who were trying to access the plant’s website found themselves redirected to a page that featured a m0sted-led protest against climate change. In the Army Corps of Engineers’ attack, the hackers sent website vistorsto www.m0sted.net, which at the time contained anti-American and anti-Israeli messages and images.
The site is currently a parked domain page with airline reservation links. It is still not clear as to whether the hackers managed to steal any sensitive data from the Army’s servers.
So far, officials have followed through with records search warrants against Microsoft, Yahoo, Google, as well as other Internet and email service firms in their ongoing efforts to discover the hackers’ true identities.
According to officials, the hackers broke into the web servers by using an SQL injection where they successfully exploited a security vulnerability in Microsoft’s SQL Server database.
In the past, the hackers performed similar attacks on many other websites, including an attack in July 2008 against a site operated by international computer security firm Kaspersky Lab.
33 Twitter Accounts Hacked
Update: 01/05/09: CNN has posted a little more information regarding this breach on their website, here’s a link.
What I am wondering is what in the world do you do w/ a Twitter account once you hack it? It just doesn’t make a whole lot of sense to me, I guess I just don’t see the value of hacking someone’s twitter account. Maybe someone can enlighten me on this? I would love to know if I am missing something, ha.
Twitter is growing in popularity though, I have seen a lot of folks picking it up as of late that I never thought I would see getting into this type of social networking, it’s here to stay that’s for sure.
It’s been a bad week for Twitter – over the weekend the community was attacked by a Phishing Scam attack and in the last 24 hours 33 high profile Twitter users had their accounts hacked. These accounts included President Elect Barack Obama, Rick Sanchez, Britney Spears and other high profile/celebrity Twitter users.
Twitter explained what happened in a post on their blog:
“The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We’ll put them back only when they’re safe and secure.”
To be fair to Twitter – both this situation and the Phishing one were responded to quickly by Twitter however it does show that Twitter is increasingly being targeted by malicious attacks and should serve as a warning to those using Twitter to expect the unexpected. While there wasn’t anything that those who had their accounts hacked could have done to prevent this – do keep your password secret and regularly updated.
Twitter does seem to be moving towards a more secure system with an beta test of OAuth scheduled for later this month – but until it goes live (and even after it) be a little more alert than normal.
33 High Profile Twitter Users Accounts Hacked
#phishingalert Attack Underway!
Over the past 20 or 30 minutes this evening I have seen a lot of tweets reporting a phishing attack that is apparently running rampant on Twitter’s social networking. If you get a Twitter direct message today reading: “check out this funny blog about you”, don’t do it. The link leads to a fake Twitter login page that attempts to steal your Twitter login. Particularly susceptible to this attack are Twitter users who get their DMs delivered by email: it’s perfectly natural to be prompted to log in after clicking through from your email account.
You can follow updates on the attack by subscribing to the Twitter topic #phishingalert
Twitter Engineering and Operations are on the case but if you receive a Direct Message with a blogspot.com link in it that redirects to what seems like Twitter.com do not enter your Twitter credentials. If you look at the URL, you’ll notice that it is not really Twitter but twitter.access-logins.com—a sketchy phishing site.
Twitter Status – Don’t Click That Link!
Exploit Alerts from Google
Today I was waiting around for a meeting to get started and pulled up Google’s blog to read about their earnings report that was posted yesterday and saw where they had expanded their Webmaster Tools to include XSS Exploit notifications. This is a great idea in my opinion!
My business partners and I were in Las Vegas a few years ago and partnered with ScanAlert (now owned and operated by Mcafee) to offer Hackersafe Certification as an add-on service to any of our clients that might be interested in certifying their web presence to be HackerSafe.
This service has proven to be a valuable tool for us internally by alerting us of vulnerabilities and potential XSS holes for some of our third party and open source client applications. Of course Hackersafe certification requires a small investment from the client to setup, etc., but with Google’s webmaster tools, this very similar service is now free!
I am extremely anxious to spend some time checking out this new tool. Here’s an excerpt from Google’s webmaster blog:
Recently we’ve seen more websites get hacked because of various security holes. In order to help webmasters with this issue, we plan to run a test that will alert some webmasters if their content management system (CMS) or publishing platform looks like it might have a security hole or be hackable. This is a test, so we’re starting out by alerting five to six thousand webmasters.
We will be leaving messages for owners of potentially vulnerable sites in the Google Message Center that we provide as a free service as part of Webmaster Tools. If you manage a website but haven’t signed up for Webmaster Tools, don’t worry. The messages will be saved and if you sign up later on, you’ll still be able to access any messages that Google has left for your site.
One of the most popular pieces of software on the web is WordPress, so we’re starting our test with a specific version (2.1.1) that is known to be vulnerable to exploits. If the test goes well, we may expand these messages to include other types of software on the web. The message that a webmaster will see in their Message Center if they run WordPress 2.1.1 will look like this:
Official Google Webmaster Central Blog: Message Center warnings for hackable sites
