shared hosting and attacks [FWD: [funsec] HostGator: cPanel Security Hole Exploited in Mass Hack]

Mailman List Mirror (Read Only)
1

Hi, the following post is a forward of an email by Fergie to funsec. This
story by itself is not relevant to NANOG, but it does illustrate a problem
nearly all of us have been facing. Mass exploitation of servers in our
nets, colos and hosting farms.

Nearly ever (relevant, not say, just a transit one) ISP I spoke to
globally has this problem.

With thousands of sites on every server and virtual machines everywhere,
all it takes is one insecure web application such as xxxBB or PHPxx for
the server to be remote accessed, and for a remote connect-back shell to
be installed. The rest is history.

This is often soon followed with masses of defacements, spam, bots, ddos,
etc.

We all (well, never say all, every, never, ever, etc.), many of us face
this. What solutions have you found?

Some solutions I heard used, or utilized:
1. Remote scanning of web servers.
2. Much stronger security enforcement on servers.
3. "Quietly patching" user web applications without permission.
4. JGH - Just getting hacked.

What have you encountered? What have you done, sorry, heard of someone
else do, to combat this very difficult problem on your networks?

The whole business of this hosting is the low cost, and everyone wastes
countless man hours on killing fires.

This is not about BGP, but it is an operational problem that bugs us,
operators.

Thanks,

  Gadi.

2

[...]

With thousands of sites on every server and virtual machines everywhere,
all it takes is one insecure web application such as xxxBB or PHPxx for
the server to be remote accessed, and for a remote connect-back shell to
be installed. The rest is history.

Hence why I'm rather partial to the ROT13 of a certain such application: cucOO.

[...]

We all (well, never say all, every, never, ever, etc.), many of us face
this. What solutions have you found?

Some solutions I heard used, or utilized:
1. Remote scanning of web servers.

Well, I *did* at one point have a script that looked for files with any of a list of MD5 sums and chmod them 000 if it found one. Grepping for "Matt Wright" in Perl scripts and chmodding them is also not a bad idea :slight_smile:

2. Much stronger security enforcement on servers.

Actually, even bothering to use Unix user accounts rather than running everything under the Apache uid (or sometimes nobody or root!) would be a fine start.

3. "Quietly patching" user web applications without permission.

I would like to plead the Fifth at this point.

4. JGH - Just getting hacked.

This seems to be a popular enough technique, as long as the money still keeps rolling in, but not one I particularly subscribe to because the bad reputation gets round after a while.

What have you encountered? What have you done, sorry, heard of someone
else do, to combat this very difficult problem on your networks?

Hacked accounts aren't evenly distributed over the customer base. A judiciously-applied account suspension or bollocking goes a long way.