Spykids

SPykids is a known defacer of Web Site. How does one prevent them
from ever having access to Server or even a LAN?

Customer complained:

Spykids should not be able to get into our websites
regardless of whether they are
piggy-backing on a member or not. This has happened 2x so far.

----------------------------

I am running Apache most current version.

Pointers?
--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

Find out how they're getting in, and lock that down.

In article <1122512684.976893.18840@g49g2000cwa.googlegroups. com>,
Big Kahuna <chris@okennon.com> wrote:
>Find out how they're getting in, and lock that down.
>

Which logs should I be looking at? I did not find anything in te Web Logs.

Where next?
--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
Leythos <void@nowhere.lan> wrote:
>In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>says...
>> SPykids is a known defacer of Web Site. How does one prevent them
>> from ever having access to Server or even a LAN?
>>
>> Customer complained:
>>
>> Spykids should not be able to get into our websites
>> regardless of whether they are
>> piggy-backing on a member or not. This has happened 2x so far.
>
>You need to learn how they are getting in, what measures you can do to
>block it and such.
>
>First, put the web server behind a dedicated firewall, not a NAT box, a
>firewall - only allow real HTTP or HTTPS sessions to it.
>
>Require users to have strong passwords, look it up if you don't know
>what that means.
>
>Block IP networks that don't need access to your web sites - as an
>example I block about 50 subnets in countries outside of our own and it
>cuts down on a lot of attempts.
>

I am using pf via OpenBSD. What do I need to add?
--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

-----BEGIN PGP SIGNED MESSAGE-----

The Doctor wrote:
> In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
> Leythos <void@nowhere.lan> wrote:
>
>>In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>>says...
>>
>>>SPykids is a known defacer of Web Site. How does one prevent them
>>>from ever having access to Server or even a LAN?
>>>
>>>Customer complained:
>>>
>>>Spykids should not be able to get into our websites
>>>regardless of whether they are
>>>piggy-backing on a member or not. This has happened 2x so far.
>>
>>You need to learn how they are getting in, what measures you can do to
>>block it and such.
>>
>>First, put the web server behind a dedicated firewall, not a NAT box, a
>>firewall - only allow real HTTP or HTTPS sessions to it.
>>
>>Require users to have strong passwords, look it up if you don't know
>>what that means.
>>
>>Block IP networks that don't need access to your web sites - as an
>>example I block about 50 subnets in countries outside of our own and it
>>cuts down on a lot of attempts.
>>
>
>
> I am using pf via OpenBSD. What do I need to add?

Only install services that Apache needs and keep both your OpenBSD and
Apache fully patched at all times. If you do that, you won't even need a
firewall. But if the firewall is based on another computer, it doesn't
hurt much (iow, even a firewall can have its buffer overflows and other
stuff)..

Then there is 0-day exploits. Not much you can do about them I am afraid..

Also, change your passwords after a fresh install. And make them
unquessable (like not using the pw 'God' for your 'root' account).

Thomas
- --
Life is like a videogame with no chance to win - ATR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQB5AwUBQuisWQEP2l8iXKAJAQEEmwMfXcrsBo5rSbU0sY0+oS bRbU/taK2xqlTg
AZoaBEDsAy8/8xvb1Do+jTQbRkg5SGi9daIbAV3aJgGyIt+gyW2kJ+FR3WZ6lt 35
i3uHQ3c+Nw2JnA4e6QUQDiiULij7djQ7CBWh3Q==
=dMvm
-----END PGP SIGNATURE-----

The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> Big Kahuna <chris@okennon.com> wrote:

>>Find out how they're getting in, and lock that down.
>>
>
> Which logs should I be looking at? I did not find anything in te Web Logs.
>
> Where next?

http://www.google.com/search?q=securing+howto
--
Ich danke GMX dafür, die Verwendung meiner Adressen mittels per SPF
verbreiteten Lügen zu sabotieren.

In article <42e8ac2a$0$11079$e4fe514c@news.xs4all.nl>,
Thomas J. Boschloo <nospam@hccnet.nl> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>The Doctor wrote:
>> In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
>> Leythos <void@nowhere.lan> wrote:
>>
>>>In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>>>says...
>>>
>>>>SPykids is a known defacer of Web Site. How does one prevent them
>>>>from ever having access to Server or even a LAN?
>>>>
>>>>Customer complained:
>>>>
>>>>Spykids should not be able to get into our websites
>>>>regardless of whether they are
>>>>piggy-backing on a member or not. This has happened 2x so far.
>>>
>>>You need to learn how they are getting in, what measures you can do to
>>>block it and such.
>>>
>>>First, put the web server behind a dedicated firewall, not a NAT box, a
>>>firewall - only allow real HTTP or HTTPS sessions to it.
>>>
>>>Require users to have strong passwords, look it up if you don't know
>>>what that means.
>>>
>>>Block IP networks that don't need access to your web sites - as an
>>>example I block about 50 subnets in countries outside of our own and it
>>>cuts down on a lot of attempts.
>>>
>>
>>
>> I am using pf via OpenBSD. What do I need to add?
>
>Only install services that Apache needs and keep both your OpenBSD and
>Apache fully patched at all times. If you do that, you won't even need a
>firewall. But if the firewall is based on another computer, it doesn't
>hurt much (iow, even a firewall can have its buffer overflows and other
>stuff)..

The firewall is pf on OpenBSD.

As for Apache , I use:


CC=/usr/bin/gcc CFLAGS="-Wall -DDEBUG -g -O9 -march=i686 " ./configure \
--enable-layout=BSDI\
--enable-v4-mapped \
--enable-maintainer-mode\
--enable-modules=most\
--enable-mods-shared=all\
--disable-optional-hook-export\
--disable-optional-hook-import\
--disable-optional-fn-export\
--disable-optional-fn-import\
--disable-ldap\
--disable-auth-ldap\
--disable-proxy\
--disable-proxy-connect\
--disable-proxy-ftp\
--disable-proxy-http\
--enable-auth-anon=shared\
--enable-auth-dbmi=shared\
--enable-auth-digest=shared\
--enable-file-cache=shared\
--enable-echo=shared\
--enable-charset-lite=shared\
--enable-cache=shared\
--enable-disk-cache=shared\
--enable-mem-cache=shared\
--enable-ext-filter=shared\
--enable-deflate=shared\
--enable-logio=shared\
--enable-mime-magic=shared\
--enable-cern-meta=shared\
--enable-expires=shared\
--enable-headers=shared\
--enable-usertrack=shared\
--enable-unique-id=shared\
--enable-ssl=shared\
--enable-bucketeer=shared\
--enable-static-support\
--enable-static-htpasswd\
--enable-static-htdigest\
--enable-static-rotatelogs\
--enable-static-logresolve\
--enable-static-htdbm\
--enable-static-ab\
--enable-static-checkgid\
--enable-http\
--enable-dav=shared\
--enable-info=shared\
--enable-suexec=shared\
--enable-cgi=shared\
--enable-cgid=shared\
--enable-dav-fs=shared\
--enable-vhost-alias=shared\
--enable-speling=shared\
--enable-rewrite=shared\
--enable-so\
--with-z=/usr\
--with-ssl=/usr/contrib\
--with-mpm=prefork\
--enable-nonportable-atomics=yes\
--with-suexec-bin=/usr/contrib/bin\
--with-suexec-caller=www\
--with-suexec-userdir=html\
--with-suexec-docroot=html\
--with-suexec-uidmin=100\
--with-suexec-gidmin=100\
--with-suexec-logfile=/var/log/httpd/suexec_log\
--with-suexec-safepath=/bin:/usr/bin://usr/contrib/bin\
--with-suexec-umask=022
>
>Then there is 0-day exploits. Not much you can do about them I am afraid..
>
>Also, change your passwords after a fresh install. And make them
>unquessable (like not using the pw 'God' for your 'root' account).

I use the 3-4 combination on a 7+ string password.

>
>Thomas
>- --
>Life is like a videogame with no chance to win - ATR
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (MingW32)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iQB5AwUBQuisWQEP2l8iXKAJAQEEmwMfXcrsBo5rSbU0sY0+o SbRbU/taK2xqlTg
>AZoaBEDsAy8/8xvb1Do+jTQbRkg5SGi9daIbAV3aJgGyIt+gyW2kJ+FR3WZ6lt 35
>i3uHQ3c+Nw2JnA4e6QUQDiiULij7djQ7CBWh3Q==
>=dMvm
>-----END PGP SIGNATURE-----


--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

In article <MPG.1d52a8716b851357989a7c@news-server.columbus.rr.com>,
Leythos <void@nowhere.lan> wrote:
>In article <dc9d6p$53n$3@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>says...
>> In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
>> Leythos <void@nowhere.lan> wrote:
>> >In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>> >says...
>> >> SPykids is a known defacer of Web Site. How does one prevent them
>> >> from ever having access to Server or even a LAN?
>> >>
>> >> Customer complained:
>> >>
>> >> Spykids should not be able to get into our websites
>> >> regardless of whether they are
>> >> piggy-backing on a member or not. This has happened 2x so far.
>> >
>> >You need to learn how they are getting in, what measures you can do to
>> >block it and such.
>> >
>> >First, put the web server behind a dedicated firewall, not a NAT box, a
>> >firewall - only allow real HTTP or HTTPS sessions to it.
>> >
>> >Require users to have strong passwords, look it up if you don't know
>> >what that means.
>> >
>> >Block IP networks that don't need access to your web sites - as an
>> >example I block about 50 subnets in countries outside of our own and it
>> >cuts down on a lot of attempts.
>> >
>>
>> I am using pf via OpenBSD. What do I need to add?
>
>I don't use that combination, so I can't specifically state what you
>need to use, but, I have to ask:
>
>1) Is the firewall and web server the same machine?
> If so, bad idea, firewall should be a stripped down machine with
> minimal services and only the firewall application.

Firewall, the OpenBSD machine running pf, is ISOLATED!

>
>2) Did you secure Apache and the OS on the machine you use?

I am running BSD/OS 4.3.1 running current Apache.

Still my compile script looks like:


CC=/usr/bin/gcc CFLAGS="-Wall -DDEBUG -g -O9 -march=i686 " ./configure \
--enable-layout=BSDI\
--enable-v4-mapped \
--enable-maintainer-mode\
--enable-modules=most\
--enable-mods-shared=all\
--disable-optional-hook-export\
--disable-optional-hook-import\
--disable-optional-fn-export\
--disable-optional-fn-import\
--disable-ldap\
--disable-auth-ldap\
--disable-proxy\
--disable-proxy-connect\
--disable-proxy-ftp\
--disable-proxy-http\
--enable-auth-anon=shared\
--enable-auth-dbmi=shared\
--enable-auth-digest=shared\
--enable-file-cache=shared\
--enable-echo=shared\
--enable-charset-lite=shared\
--enable-cache=shared\
--enable-disk-cache=shared\
--enable-mem-cache=shared\
--enable-ext-filter=shared\
--enable-deflate=shared\
--enable-logio=shared\
--enable-mime-magic=shared\
--enable-cern-meta=shared\
--enable-expires=shared\
--enable-headers=shared\
--enable-usertrack=shared\
--enable-unique-id=shared\
--enable-ssl=shared\
--enable-bucketeer=shared\
--enable-static-support\
--enable-static-htpasswd\
--enable-static-htdigest\
--enable-static-rotatelogs\
--enable-static-logresolve\
--enable-static-htdbm\
--enable-static-ab\
--enable-static-checkgid\
--enable-http\
--enable-dav=shared\
--enable-info=shared\
--enable-suexec=shared\
--enable-cgi=shared\
--enable-cgid=shared\
--enable-dav-fs=shared\
--enable-vhost-alias=shared\
--enable-speling=shared\
--enable-rewrite=shared\
--enable-so\
--with-z=/usr\
--with-ssl=/usr/contrib\
--with-mpm=prefork\
--enable-nonportable-atomics=yes\
--with-suexec-bin=/usr/contrib/bin\
--with-suexec-caller=www\
--with-suexec-userdir=html\
--with-suexec-docroot=html\
--with-suexec-uidmin=100\
--with-suexec-gidmin=100\
--with-suexec-logfile=/var/log/httpd/suexec_log\
--with-suexec-safepath=/bin:/usr/bin://usr/contrib/bin\
--with-suexec-umask=022
>
>3) Does your site require user authentication?

In the one that got nailed, .htaccess

>
>I'm in the US and don't do business with foreign companies or need to
>provide access to our services from foreign hosts, so I block many
>subnets that seem to target our public IP addresses, here is my short
>list, it may not work for you.
>
>12.144.182.0/24
>12.45.203.0/24
>12.98.139.0/24
>155.48.106.0/24
>168.126.0.0/16
>172.184.111.203
>193.251.0.0/16
>193.252.0.0/16
>193.253.0.0/16
>195.174.0.0/16
>195.175.16.0/20
>195.58.124.0/24
>200.30.203.0/24
>202.88.186.0/24
>203.152.22.0/24
>205.251.79.0/24
>210.173.37.0/24
>210.201.153.0/24
>210.71.115.0/24
>211.54.40.0/25
>212.150.124.0/24
>212.18.57.0/24
>212.202.178.0/24
>212.27.32.0-212.27.63.255
>212.64.192.0-212.64.203.255
>212.64.223.160/29
>212.64.223.168/29
>212.9.7.0/24
>213.13.26.0/24
>213.144.176.0/24
>213.190.213.0/24
>213.228.7.0/24
>213.228.8.0/24
>216.184.97.0/24
>216.76.35.0/24
>217.118.224.0/24
>217.118.225.0/24
>217.118.239.0/24
>217.160.110.0/24
>218.164.28.0/24
>218.252.74.0/24
>218.67.128.0-218.69.255.255
>218.69.108.0/24
>218.69.148.0/24
>218.76.98.0/24
>219.212.4.0/24
>
>
>
>--
>
>spam999free@rrohio.com
>remove 999 in order to email me


--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

In article <MPG.1d52c9b8de84e4ab989a80@news-server.columbus.rr.com>,
Leythos <void@nowhere.lan> wrote:
>In article <dcaunf$fn7$13@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>says...
>> >Also, change your passwords after a fresh install. And make them
>> >unquessable (like not using the pw 'God' for your 'root' account).
>>
>> I use the 3-4 combination on a 7+ string password.
>
>But, if you use any word found in a dictionary or a name or place or
>anything other than a mix of letters, numbers, upper case/lower case,
>you are fooling yourself if you think your password is safe.
>
>Use 10+ characters and a mix like Q74btl771Ne or, if your system
>permits, use special characters like !@#$%^&*() in the password.
>

Dictionary attack. I know about those. I tell people the 3 or 4 combo.

3 combo is Caps, smalls and numbers. Guess which is 4.


>
>--
>
>spam999free@rrohio.com
>remove 999 in order to email me


--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

On Wed, 27 Jul 2005 22:15:44 +0000, The Doctor wrote:

> I am running Apache most current version.

php?
do your customers have their own ftp access?
cgi?
do you/your_customers use phpBB or equivalent?

--
* Cristiano Deana, FreeCRIS - Biella
* Honda Hornet 600 grigionera, Andúril
* No, non metto faccine. Aggiungile tu a caso

In article <42ef7e0d$1_1@newsgate.x-privat.org>,
Cristiano Deana - FreeCRIS <freecris@despammed.com> wrote:
>On Wed, 27 Jul 2005 22:15:44 +0000, The Doctor wrote:
>
>> I am running Apache most current version.
>
>php?

5.0.4

>do your customers have their own ftp access?

Yes.

>cgi?

Yes.

>do you/your_customers use phpBB or equivalent?
>

Only one and it is the most current version.

>--
>* Cristiano Deana, FreeCRIS - Biella
>* Honda Hornet 600 grigionera, Andúril
>* No, non metto faccine. Aggiungile tu a caso
>


--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.

spykids exploited a vunerability in old versions of awstats (v5.0-6.3 i
think).
update awstats or don't use it, plus all the good advice above :)

a story from someone with "first hand" experience.
http://www.bazon.net/mishoo/home.epl?NEWS_ID=1106

In article <1123060630.002052.19810@g49g2000cwa.googlegroups. com>,
neale <neale@ranns.org> wrote:
>
>spykids exploited a vunerability in old versions of awstats (v5.0-6.3 i
>think).
>update awstats or don't use it, plus all the good advice above :)
>

awstata is a flop of a progreamme. Still I will look around.

I prefer wwwstats, and analog.

>a story from someone with "first hand" experience.
>http://www.bazon.net/mishoo/home.epl?NEWS_ID=1106
>


--
Member - Liberal International
This is doctor@nl2k.ab.ca Ici doctor@nl2k.ab.ca
God Queen and country! Beware Anti-Christ rising!
Better to serve in Heaven that to Rule in Hell.