PDA

View Full Version : Hacking



fedorafan2
29th October 2006, 11:34 PM
I have a web server and my frend know much more than I do about computers. He was able to hack into it and get my password that was in a config file. He said he used some username of a account that is for some program to get in but I don't know. How can I make my server more secure so he doesn't do this in the future.

codvx87
30th October 2006, 12:02 AM
For some reason I doubt this...

VictorienSardou
30th October 2006, 12:08 AM
is your webserver running on your home machine?
is it behind a router?
is it available to anyone on the internet to visit?

fedorafan2
30th October 2006, 12:08 AM
For some reason I doubt this...

He told me the password and that is what he said he did to get in.

u-noneinc-s
30th October 2006, 01:02 AM
Good thing it was a friend. ;)
Are you sure he got in through the web server? Will he tell you what he did and how he did it if you ask him?
Could he have gotten in through ftp (plain ftp is very unsecure) or ssh (maybe you have protocol 1 enabled)?

Also, was it your password or root password he got?

Change your password, then yum install mod_security (if it's not already installed) and ask him to try it again...just a thought :/

fedorafan2
1st November 2006, 05:54 AM
The password was a mysql user that my forum uses. He said he got the password by using some bug in apache that makes it not parse php. So he was able to view the config file. What is protocall 1

u-noneinc-s
1st November 2006, 06:11 AM
ssh2 is backwards compatible to ssh1 through protocol 1. ssh version 1 was vulnerable to attack. ssh version 2 is more secure but it is backwards compatiblility with ssh1 makes ssh2 vulnerable. If you have ssh2 and protocol 1 is enabled you should disable it. Though I don't think it's related to the php vulnerability.

I don't know enough about security, but I know there have been vulnerabilities in apache php and/or phpbb and I think cgi (?) but I don't know anything about it. I hope someone here tells you how to close the hole.

fedorafan2
3rd November 2006, 04:45 AM
ssh2 is backwards compatible to ssh1 through protocol 1. ssh version 1 was vulnerable to attack. ssh version 2 is more secure but it is backwards compatiblility with ssh1 makes ssh2 vulnerable. If you have ssh2 and protocol 1 is enabled you should disable it. Though I don't think it's related to the php vulnerability.

I don't know enough about security, but I know there have been vulnerabilities in apache php and/or phpbb and I think cgi (?) but I don't know anything about it. I hope someone here tells you how to close the hole.
how can I tell if protocall 1 is enabled?

u-noneinc-s
3rd November 2006, 05:11 AM
I was afraid you were going to ask that. I have to look it up, Not too familiar with most config files.

It looks like maybe /etc/ssh/sshd_config. Look for a line like Protocol 2,1.

Mine is commented out #Protocol 2,1, but I'm not sure if that is exactly correct. I disabled it with webmin and not with the config file. I am assuming that if the Protocol is commented out it defaults to 2.

It''s also a good idea to not allow root login through ssh. I think it's a little farther down the file.

Please wait for better advice as I've been making some blunders here (on the forum) lately.

I hope it's only temporary brain fade :rolleyes:

pdb
3rd November 2006, 06:07 AM
From the ssh_config manpage:

Protocol
Specifies the protocol versions ssh should support in order of preference. The possible values are 1 and 2. Multi-
ple versions must be comma-separated. The default is 2,1. This means that ssh tries version 2 and falls back to ver-
sion 1 if version 2 is not available.

pdb
3rd November 2006, 06:18 AM
One thing you should do to improve security is make sure your web applications use mysql users and passwords that have nothing to do with your server users and passwords. Then if some vulnerability compromises those more exposed users and passwords, only that mysql database and your web application will be hosed. Then, too, make sure you have good backups so if it does get hosed, you don't lose all your valuable data.

I don't know a whole lot beyond that; maybe someone else will chime in! :)

u-noneinc-s
3rd November 2006, 06:41 AM
Sounds like a pretty good explaination to me.
As for ssh, I was getting a RKH warning that ssh protocol 1 was enabled and should not be (don't recall exact message) so I changed it with Webmin. I simply unchecked protocol 1 and RKH is happy.
Would you think that if you only wanted ssh2 you could just change the config from use
Protocol 2,1
to
Protocol 2 and drop the 1?
I've got to lose my dependency on GUI's. Webmin is nice and simple, but I am spoiled :p

pdb
3rd November 2006, 06:54 AM
u-noneinc-s, you are correct. I went even further and set PermitRootLogin to no and set AllowUsers only to my personal user. There are so many scans of ssh just probing for users that I also installed denyhosts, which blocks the offending IP address at the firewall.

u-noneinc-s
3rd November 2006, 07:00 AM
Wow, It's nice to be right "occasionally" ;)
From sshd_conf man page
Protocol
Specifies the protocol versions sshd supports. The possible val-
ues are 1 and 2. Multiple versions must be comma-separated.
The default is 2,1. Note that the order of the protocol list
does not indicate preference, because the client selects among
multiple protocol versions offered by the server. Specifying
2,1 is identical to 1,2. so I guess it is ok to specify just one protocol.

pdb
3rd November 2006, 07:06 AM
:) I noticed after you posted earlier that I had goofed on the man page I looked up, but the conclusion was still looked good, so I let it go.

u-noneinc-s
3rd November 2006, 07:14 AM
Well, they both exist, and they both appear to be the same (on the surface anyway, just glancing). man ssh_config has the same Protocol statement as man sshd_config

LinuxManMikeC
3rd November 2006, 07:50 AM
The password was a mysql user that my forum uses. He said he got the password by using some bug in apache that makes it not parse php. So he was able to view the config file. What is protocall 1
In addition to the apache bug it also sounds like bad programming practices in your forum software. I have seen many PHP programmers make a "config file" which is just a php script. This file is often located where any visitor to the site can "run" this script. Throw the apache vulnerability into the mix and instead of "running" the statements in the config file, it is just spit up in the browser with all the passwords it contains. These config files should not be accessible by visitors to the site. You simply need to configure apache to not allow visitors to view the config files of all your web scripts. Even better is to put the config files outside the reach of your public web directories, like in /etc. This is as much a problem with the actual forum software as it is apache and/or php.