This site is some kind of personal database gathering notes about my day-to-day discoveries in the IT world basically about security.
While some are howtos and tips (we learn a new thing every day eh), hopefully you'll find some of them informative !

December 29, 2006

Oh Sarah...

I don't know what this website is for. But this site is reported hacked.
Now the accessibility to this site is filtered. wahaahaha... Think again.

It's is running too much services leaving it vulnerable to attacks and exploit.

0 comments

December 28, 2006

Securing Apache

You don't want your website to be like this do you?


It's been days at hangang ngayon ganito pa rin web site nila. Nagtataka lang ako kung talaga bang ganito un site nila o na-hack na to? Or malamang misconfigured? Napaisip tuloy ako sa web server ko... hmmm...

To help my fellow sysads. This is how I secure my apache.

Installation
OS = Fedora Core 4
Version = httpd-2.0.54-10.4
SSH as regular user to your server. Again, DO NOT use telnet!

Do the usual lame install.
Change to root:

$ su -
Do the yum:
# yum -y install httpd
Configuration
Edit httpd.conf:

Backup it first
# cd /etc/httpd/conf
# cp httpd.conf httpd.conf.bak
Now open httpd.conf:
# vi /etc/httpd/conf/httpd.conf 
Just edit this directives and leave everything default:
### Section 1: Global Environment
# This hide apache version info
ServerTokens Prod
# Listen: Allows you to bind Apache to specific IP address and ?or ports.
Listen 80
# Specify the name of the user/group to run httpd as.
User apache
Group apache

### Section 2: 'Main' Server Configuration
# First, we configure the "default" to be a very restrictive set of features.

Options FollosSynLinks
# This allow us to use .htaccess
AllowOverride All
# Add for security
Order Deny,Allow
Deny from all
Oprtions None
# Turn off directory browsing
Options -Indexes

# The Options directives
Options All

# AllowOverrride controls what directives may be placed in .htacess files.
AllowOverride All

# Controls who can get stuff from this server.
Order allow, deny
Allow from all

# AccessFileName: The names of the file to look for in each directory for additional configuration directives.
AccessFileName .htaccess

# ServerSignature: Optionally add a line containing the server version and virtual host name to server-generated pages.
ServerSignature off
.htaccess
Make the file:
# vi /var/www/html/.htaccess
Put this to the file:
#
# mod_rewrite in use
#
RewriteEngine On

# Rules
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^content/(.*) index3.php
RewriteRule ^component/(.*) index3.php
RewriteRule ^mos/(.*) index3.php

###########################################################################
# This prevents hot-linking of images from this website
# just to save the bandwith :)
###########################################################################
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com/.*$ [NC]
RewriteRule .(gif|jpg)$ - [F]

###########################################################################
# This deny directory browsing
###########################################################################
IndexIgnore */*
Options -Indexes

###########################################################################
# This prevent access to .htaccess file
###########################################################################
order allow,deny
deny from all

###########################################################################
# Deny Useragents
# Ban access to your site based on the user agent that is reported in the
# request header. If it is on this list then they will not have access to
# your site.
###########################################################################
RewriteCond %{HTTP_USER_AGENT} ^Alexibot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^asterias [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^BackDoorBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Black.Hole [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^BlowFish [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^BotALot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^BuiltBotTough [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Bullseye [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^BunnySlippers [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Cegbfeieh [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^cfetch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^CheeseBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^CopyRightCheck [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^cosmos [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^DA\ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^DataCha0s.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^dcs [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^DittoSpyder [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Download.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Email.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EroCrawler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^FDM\ 2.x [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Foobot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^FreshDownload [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Googlebot-Image [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Harvest [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^hloader [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^httplib [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^humanlinks [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InfoNaviRobot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Java.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^JennyBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Kenjin.Spider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Keyword.Density [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LexiBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^libWeb/clsHTTP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LinkextractorPro [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LinkScan/8.1a.Unix [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^lwp-trivial [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mata.Hari [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^MIIxpc [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Missigua.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister.PiX [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^moget [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NG [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^NPBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline.Explorer [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Openfind [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^PostFavorites [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ProPowerBot/2.14 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ProWebWalker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^QueryN.Metasearch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^RepoMonkey [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^RMA [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SlySearch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SpankBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^spanner [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^StarDownloader [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^suzuran [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Syntryx [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Szukacz/1.4 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Telesoft [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^The.Intraformant [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^TheNomad [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^TightTwatBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Titan [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^toCrawl/UrlDispatcher [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^True_Robot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^turingos [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^TurnitinBot/1.5 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Twiceler [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^URLy.Warning [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^VCI [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebBandit [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebEnhancer [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Web.Image.Collector [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebmasterWorldForumBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Website.Quester [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Webster.Pro [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZip [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WWW-Collector-E [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus [NC]
RewriteRule ^.*$ - [F]

###########################################################################
# Spam Referrers
# Referrer spam is where someone forges the referer header and then
# accesses your site. The thought here is that hopefully you are someone
# that monitors your log files and you will see this link and visit there
# site. Or hopes that your report on activity are publicly viewable on the
# web and that a search engine will spider your reports and increase the
# number of sites linking to them therefore increasing there ranking in the
# search engine.
###########################################################################
RewriteCond %{HTTP_REFERER} hackerviet [NC,OR]
RewriteCond %{HTTP_REFERER} insurance [NC,OR]
RewriteCond %{HTTP_REFERER} poker [NC,OR]
RewriteCond %{HTTP_REFERER} 24hours-credit [NC,OR]
RewriteCond %{HTTP_REFERER} baby-casino [NC,OR]
RewriteCond %{HTTP_REFERER} texas-hold-em [NC,OR]
RewriteCond %{HTTP_REFERER} hold-em [NC,OR]
RewriteCond %{HTTP_REFERER} holdem [NC,OR]
RewriteCond %{HTTP_REFERER} doctor-pills [NC,OR]
RewriteCond %{HTTP_REFERER} thesmart-casino [NC,OR]
RewriteCond %{HTTP_REFERER} westvalleyhigh [NC,OR]
RewriteCond %{HTTP_REFERER} highest-credit [NC]
RewriteRule ^.*$ %{HTTP_REFERER} [R,L]

0 comments

December 27, 2006

Rootkits

Rootkits are powerful tools to compromise computer systems without detection. Learn why virus scanners and desktop firewalls are not enough. Learn how attackers can get in and stay in for years, without detection. Their purpose is to hide.
Rootkits exist for a variety of operating systems, such as Linux, Solaris and versions of Microsoft Windows. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.

Rootkit Scanner
Chkrootkit is a powerful tool to scan your Linux server for trojans. I'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.

Installation
OS = Fedora Core 4
Version = chkrootkit-0.47-1.fc4
SSH as regular user to your server. DO NOT use telnet, it should be disabled anyways.

Change to root:
$ su -

Type the following:
# yum -y install chkrootkit

To use chkrootkit, just type the command:
# chkrootkit

Everything it outputs should be 'not found' or 'not infected'...

Daily Automated System Scan that emails you a report
While in SSH run the following:
# vi /etc/cron.daily/chkrootkit.sh

Insert the following to the new file:
#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s "Daily chkrootkit from Servername" admin@youremail.com

Important:
1. Replace 'yourinstallpath' with the actual path to where you install Chkrootkit.
2. Change 'Servername' to the server your running so you know where it's coming from.
3. Change 'admin@youremail.com' to your actual email address where the script will mail you.

Now save the file in SSH:
ESC then colon (:) then Ctrl+X then ENTER

Change the file permissions so we can run it:
# chmod 755 /etc/cron.daily/chkrootkit.sh

Now if you like you can run a test report manually in SSH to see how it looks.
# cd /etc/cron.daily/

# ./chkrootkit.sh

You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.

0 comments

Subscribe to: Posts (Atom)