Fnord.

I woke this morning to a slew (here defined as ‘62′) of ssh dictionary attacks:

There were already 20 or so last night. Looks like a new botnet/attack wave or similar. I’m using DenyHosts and quite frankly, you should be too.

If you’re running Debian, there’s a nice package for it that I use and recommend. I’ve set mine to trigger on 3 attempts, but I’ve few users and most use ssh keys and not keyboard auth.

Might be a good time to run chkrootkit and change some passwords!

Via DF, news of a large automated attack against WordPress installs.

Yeah, like this one.

As far as I can tell, Fnord, annalog and gemmacasa are all still clean, but please keep your eyes out for odd links or content, and email pfh at phfactor if you see anything (phfactor.net, that is)

Yay. Spammers suck.

Update 9/6: Anil to the rescue:

Since the attack is targeting non-current versions of wordpress, then all the vulnerabilities should be listed in the CVE. So if you compare

http://www.debian.org/security/2009/dsa-1871

and

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

you’ll see that Debian is quite up-to-date. To be extra sure you can look at the Debian changelog for the package you have installed.

So, looks like you’re fine.

Thanks, Anil!

I was talking to a co-worker about DNS registrars today, and ran whois on yahoo:

whois yahoo.com
‘
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

YAHOO.COM.ZZZZZZ.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YAHOO.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
YAHOO.COM.ZZZZZ.DOWNLOAD.MOVIE.ONLINE.ZML2.COM
YAHOO.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
YAHOO.COM.VN
YAHOO.COM.VIRGINCHASSIS.COM
YAHOO.COM.TWIXTEARS.COM
YAHOO.COM.TW
YAHOO.COM.SG
YAHOO.COM.MX
YAHOO.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
YAHOO.COM.JTNELECTRIC.COM
YAHOO.COM.JENNINGSASSOCIATES.NET
YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM
YAHOO.COM.HK
YAHOO.COM.ELPOV.COM
YAHOO.COM.EATINGFORJOY.NET
YAHOO.COM.DALLARIVA.COM
YAHOO.COM.COLLEGELEARNER.COM
YAHOO.COM.CHRISIMAMURAPHOTOWORKS.COM
YAHOO.COM.BR
YAHOO.COM.BGPETERSON.COM
YAHOO.COM.AU
YAHOO.COM

Apparently, this has been going on for a while. I know that I get spam addressed to the email addresses in my whois records. The usual collection of bastards (Hi, Network Solutions!) that sell the whois access also sell another service to remove your email address from the record. Nice to work it both ways, eh?
Anyway, spam gets everywhere these days. Sad to see an old tool compromised.

I get a fair bit of attempted comment spam here on Fnord; almost all of it is neatly caught by Akismet and no one sees it. Since I installed Akismet in May 2006, it’s caught 185,233 spam. And mine is a trivial site!

Anyway, one made it past Akismet this morning, at which point I get an email. Some of the URLs caught my eye, showing how spammers are using innocent sites to host their malware. This is new to me, or perhaps I just hadn’t seen it before. Here we go – last bits of URLs replaced as noted, so they are broken. I assume this leads to spam/malware/bad things, so please don’t go to these locations! I’m leaving the domain names correct, though. Name and shame time, folks.

http://www.insfun.com/upfiles/.tmp/?[censored]

Looks like they’re taking advantage of someone’s upload area.

 http://www.newtondancecompany.com/Calendars/.DAV/?[censored]

A bit different. Here, they’ve gotten in via WebDAV, looks like an incorrect Apache configuration. Whoops.

http://joenweb.co.kr/shop/koso/.tmp/?[censored]

Probably a shopping cart vulnerability. Note that the directory starts with a dot, and so is less visible under Unix. Basic way to reduce your risk of detection from the sysadmin.

http://taxforum.or.kr/bbs/data/.tmp/?[censored]

BBS/forum weakness, same dot-named directory. Note also that they seem to be using the same uploaded software, using HTTP parameters to pass in via the [censored] bits.

http://www.astropoetics.com/gallery/thumbnails/.tmp/?[censored]

This time, managed to insert malware into a picture gallery. Yeesh.

http://www.steelelogic.com/2007/11/.cache/?[censored]

Cache weakness? Hard to tell on this one.

There’s lots more, though the rest are just the same upfiles/.tmp/BBS/shop hacks. 

I run denyhosts locally, which bars access to any computer trying to login over ssh after a few failed password attempts. Even as a net nobody, you see a lot of these attacks; I have several tens of thousands of blocked hosts now. They seem to be mostly home-connected Windows machines, but this morning a new wrinkle showed up:

Added the following hosts to /etc/hosts.deny:

174.129.151.164 (ec2-174-129-151-164.compute-1.amazonaws.com)

Someone had the fairly obvious idea of using Amazon’s EC2 elastic compute cloud to run hack attacks, since there’s no reason for EC2 to be trying to login to my network. Now I gotta figure out how to report this to Amazon; at least with them there’s an audit trail. Which probably leads back to a stolen credit card, but still.

Update 12/25/08: Jeff Barr from Amazon left a couple of comments with instructions, so I’ve reported it. Thanks, Jeff!

Update 12/26: Email back from Amazon, instance shut down, very professional and fast.

Update 12/27: Two more attempts today from different IPs. Seems to be a problem.

Right now the home network is pretty simple. I’ve consolidated all of the server functions (web, dns, email, blogs, database, VoIP, etc) into a single Debian box, behind the Linksys RV042 router/firewall. Wireless is provided by a couple of Apple Airport Express boxes (one for G, one for N) and there’s also a gigabit switch as a backbone. Other than the Debian box, the rest are fanless and silent, which has been a continuing goal once we moved to a much smaller house!

(There’s other gear on the net, but it’s not relevant here.)

The Debian box has 4 drives in it right now, 1 for Linux and 3 250s in a RAID5 hardware array:

This works, and is stable and quiet-er. Or ish. It’s definitely not silent, though it’s hard to measure noise in any useful way. (I have a decibel meter, and I tried, sorry. Too many variables.)

One idea I’ve been kicking around is this: Other than disk, everything served by Debian now could run on much smaller machine, perhaps even (gasp!) one without fans.

Check this out: It’s an Asus EEE Box, a Atom-based PC for under $300:

(Wikipedia page is here for more info)

I was just reading a bit about IPv6 and researching what it’d take to add it to the home network, when I found smallnetbuilder.com. It seems to be a really good site for material like this, as well as NAS, wireless and router reviews. S/he likes the Untangle software bundle, which is a polished firewall/filter/router system. I personally prefer OpenBSD for firewalls, as pf can still do the most tricks, but I gotta admit that the GUI polish of Untangle is compelling. Here’s a screenshot from the Untangle site:

The files currently on the Debian RAID have mostly migrated to the iMac now (iTunes is quite nice for music management), so losing the RAID array is do-able. I’ve also got a co-worker with a hand-me-down NAS RAID that might work. So perhaps Untangle or something Debian-based on the Eee Box might work. 

From what I can find, the Linksys RV042 I’m using now lacks IPv6, so something like this is compelling.

Amazing times that we live in, eh? 

This morning, in my inbox, this is what I saw:

That is, 37 reports that a host had tried to break in to my SSH port, and failed more than one password attempt. If I weren’t running DenyHosts, the dictionary attacks would have a lot greater chance of succeeding. As it is, I’ve seen at least 50 hosts blocked today; usually I get one every few days. Sadly, I’ve not got over sixty five thousand hosts denied via DenyHosts, which is a sad commentary on how many cracked Windows machines are out there.

Patch and monitor those boxes, people!

Today I found a link from Project Honeypot to the http:BL plugin for WordPress that blocks various forms of crap – comment spam being a big deal here, as I somehow managed to accumulate over 108 thousand of the attempts on this no-name blog.

Yeesh. Thank god for Akismet.

So the plugin is running, please send me email if you see any problems from it. It’ll be interesting to see what it does to my visit stats, I suspect many of the ‘visitors’ are spam bots anyway.

We were down last night from about 11:30PM until today around 11AM. Somehow, some [censored] managed to add a link to my sidebar by inserting into the wp_links table for wordpress.

After thinking about it for a bit, I’m updating this post: The link was to www.snjpc.com. It’s an online casino site, and while I dislike giving them hits it seems worthwhile to say that they, or their hires, are doing this sort of blog cracking.

How they managed this, I am still trying to determine. The mysql logfiles

cd /var/log/mysql
mysqlbinlog *.0* | grep wp_links

show no inserts, the mysql instance is only available from localhost (firewalled to boot), and system logs look good. Checks for rootkits and similar are negative, firewall logs are clean, and I am puzzled. Props to this page for mysql tips.

One piece of evidence – they seem to have borked wordpress, probably on purpose – if you invoke the theme editor (or plugin editor) you get

Sorry, that file cannot be edited.

which is patently false. My working hypothesis is, for now, that someone managed to either inject an exploit into Debian’s wordpress package, or found a generic Wordpress exploit. I am continuing to investigate and take various measures to prevent a reoccurence. This sucks.

Oh yeah, swapped themes for a while as part of the cleanup and diagnostics. Let me know what you think.

Update: Added paragraph naming snjpc.com

Update: A fresh download of Wordpress 2.2.2 from Debian or wordpress.org produces the same result… interesting. So either the default WP is broken, or its a config file/database problem. Debugging continues…

Update: Looks like the problem is related to the list of files passed to the validate_file_to_edit function. It looks like the first file passed is the wp-config.php, which on Debian is a link to the system file in /etc/wordpress. Hmm, maybe that’s how they got the MySQL access information… You can hack around this by adding the following to theme-editor.php. Change this:

if (empty($file)) {
$file = $allowed_files[0];
}
$file = validate_file_to_edit($file, $allowed_files);

to the following. This overrides the file list that was passed in, so you have to change the index to match the file you want. Other than that, it totally fixes the problem. Hmm…

if (empty($file)) {
$file = $allowed_files[0];
}

$file = $allowed_files[3];

$file = validate_file_to_edit($file, $allowed_files);

From the new firewall’s syslog:

Wed Jun  6 17:26:05 2007
RGFW-IN: BLOCK-SYNFLOOD (TCP 76.171.170.53:34556->204.128.136.1:80 on ixp1) [200,0]
Wed Jun  6 17:19:22 2007
SYSLOG_NK-(System Log)Mail sending to [redacted] successfully !

Seems like the box think’s there’s a SYN flood attack, which is a particular type of denial of service.

False alarm? Occurring all along and just now visible? Can’t tell. Does make me wonder if my old OpenBSD pf rules were also working on these. pf is amazing for firewalls.

(The IP points to a host on the Road Runner cable modem network, I assume its a pwned Windows box.