Hacker fighting....

[Big Tom]

Well, my site got hacked through an exploit in a Joomla component, which I found after quite a while. Now the "anti hacker war" was declared from my side and I am actively monitoring the site for IPs searching for exploits in my sites. "csf"/"lfd" are decent starting points, but do not cover exploits in the web site.

One of the exploits seems to involve a "phpThumb.php" file. The good thing is, you don't need to even have it to find the scumbags trying to get in. The access logs on your server track these requests and with the command below, you can easily find the IPs and if you got time, do a whois on that IP and write to the abuse e-mail.

cat /home/*/access-logs/* | grep phpThumb | awk '{ print $1 }' | sort -u

So, finally coming to the actual question - I am wondering if there is interest starting a thread here showing some tools that are not out of the box and that may help fighting these "other ends of the mouth".

[Big Tom]

and the complete script with automatic blocking via csf... and logging in /var/log

Code:

####
##
## Change the block_string below to include all vulnerabilities you want to check for (separated by space)
##
block_string="phpThumb"
##
##
echo "Blocked IPs: "
for block_text in $block_string
do
        echo "Checking: $block_text"
        for ip in `cat /home/*/access-logs/* | grep $block_text | awk '{ print $1 }' | sort -u` 
        do
                echo -n "     "$ip 
                if [ `csf -g $ip | wc -l` == 3 ]
                then
                        csf -d $ip >/var/log/blocked_ips.log 2>/dev/null
                        echo " blocked - ($block_text)"
                else
                        echo " already blocked"
                fi
        done
done
echo "Done."

[gohighvoltage]

Tom, that is a great idea! We should have a section on server Security, etc.

Over the last month I know my CSF/LFD has been working overtime, 30 to 45 port scanning ips blocked daily. It is crazy!

[JPC-Sabrina]

Joomla and Wordpress are highly susceptible to hacking. If you are running either of these please be hyper diligent in upgrading your versions and plugins. Some of the forum members here at JaguarPC have good tips and tricks that can be helpful in defending against these types of attacks.

[gohighvoltage]

Would mod_security help with Joomla and Wordpress?


I don't use Joomla or wordpress, so don't know much about it.

[Big Tom]

Sabrina,
I agree that these are the most vulnerable apps (probably also because they are the most used ones), the problem is that I cannot force all users to upgrade - some sites are highly customized and installing updates would break functionality and design.

Therefore my thought about using site independent tools that check the logs for attempts to use known vulnerabilities and simply block these IPs server wide.

[gohighvoltage]

Hey Tom, I know what you mean. Many clients do not keep up with updates, and security notices. Puts you in a bad spot because their script vulnerabilities puts your whole server at risk. Do you know anything about mod_security? I have been checking this out and it is suppose to help with added security, etc.

Not sure if it will help you, but maybe it can.

[Bell thorpe]

One of the exploits seems to involve a "phpThumb.php" file. The good thing is, you don't need to even have it to find the scumbags trying to get in. The access logs on your server track these requests and with the command below, you can easily find the IPs and if you got time, do a whois on that IP and write to the abuse e-mail.

In my view writing to 'abuse@' is not a good use of your time. It's laborious, and is unlikely to have any effect.

I have a honeypot on most of my major sites. Note that it's not aimed at those looking for exploits (although I could do that), it's aimed at bots ignoring robots.txt. Often in contravention of their own published policies. In some cases, I just get a report of a villain by email and I can make a decision:

A bad robot hit /future/ 23-11-2011 (Wed) 10:20:44
address is 221.194.134.181, agent is Mozilla/4.0 (compatible; MSIE 6.0; AugustBot/augustbot@163.com)

In other cases I automatically add the bad bots to the .htaccess file. There are plenty of scripts out there to assist. Make sure that you don't ban yourself when you test it.

[Main Street James]

Well, my site got hacked through an exploit in a Joomla component, which I found after quite a while. Now the "anti hacker war" was declared from my side and I am actively monitoring the site for IPs searching for exploits in my sites.

If you're using Joomla, Wordpress, osCommerce or any other popular software installation you'll want to check out the vulnerabilities at exploit-db.com. Here's a list of Joomla vulnerabilities (notice the latest one was only posted a week ago).

[Jamsori]

Do you know anything about mod_security? I have been checking this out and it is suppose to help with added security, etc.

Not sure if it will help you, but maybe it can.

mod_security itself does help, but to get the most out of it, you need to use it with some good rules. I'd recommend gotroot/Atomic Modsecurity.

There's a guide here: http://www.atomicorp.com/wiki/index....Security_Rules

[JPC-Masood]

You can also signup for email alerts on Secunia - The Leading Provider of Vulnerability Management and Vulnerability Intelligence Solutions I'm not sure if they can send alerts on a few apps, I receive all alerts and filter them out for what I'm interested in (its email traffic is very high).

[SarahL]

My site was hacked this week.