New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !
Is someone trying to hack me (and succeeding)?
-
- Posts: 56
- Joined: 22 Jan 2008, 06:06
Is someone trying to hack me (and succeeding)?
Is someone trying to hack me (and succeeding)?
I spotted this in my latest LogWatch message:
--------------------- Sudo (secure-log) Begin ------------------------
Unmatched Entries:
www-data : TTY=unknown ; PWD=/usr/share/web-admin ; USER=root ; COMMAND=/usr/lib/web-admin/backend.pl dump_file /etc/shadow
---------------------- Sudo (secure-log) End -------------------------
It looks like there is a major weakness somewhere that is allowing system files (such as the password file!) to be read by users via the web interface.
Looks like I am about to be pwned
I am checking my logs in detail...
I spotted this in my latest LogWatch message:
--------------------- Sudo (secure-log) Begin ------------------------
Unmatched Entries:
www-data : TTY=unknown ; PWD=/usr/share/web-admin ; USER=root ; COMMAND=/usr/lib/web-admin/backend.pl dump_file /etc/shadow
---------------------- Sudo (secure-log) End -------------------------
It looks like there is a major weakness somewhere that is allowing system files (such as the password file!) to be read by users via the web interface.
Looks like I am about to be pwned
I am checking my logs in detail...
-
- Posts: 56
- Joined: 22 Jan 2008, 06:06
I did a course on computer security and vunerabilities a while back and threw the whole range of hacker attack tools at Bubba to see what I could find. In fact Bubba was very secure and much more secure then some well known websites out there.
I do see alot of attempts by hacking bots to request system files, Bubba of course does not supply ! I guess it is one of those attempts you are seeing here....
I do see alot of attempts by hacking bots to request system files, Bubba of course does not supply ! I guess it is one of those attempts you are seeing here....
-
- Posts: 56
- Joined: 22 Jan 2008, 06:06
I don't use 'Logwatch' so I don't know what it reports, but unless you have given out your root password then I think it's unlikely you have been hacked. Unless you have altered apache then I cannot see /etc/passwd (or it's shadow) being accesible. If they have your root password why would they need your passwd file ???
There is some truth in using 'difficult' passwords as it is always possible to do a DES compare between an encrytped dictionary and a /etc/passwd file, I have done it myself and'am amazed how many users still use 'nouns' as their passwords; including numbers in a password always helps.
So in short, I don't think you've been hacked; unless you've invited it. Change your root password, just in case....
Bubba is no more hackable than any other server connected to the internet, less so in fact as it as less open ports to attack......
There is some truth in using 'difficult' passwords as it is always possible to do a DES compare between an encrytped dictionary and a /etc/passwd file, I have done it myself and'am amazed how many users still use 'nouns' as their passwords; including numbers in a password always helps.
So in short, I don't think you've been hacked; unless you've invited it. Change your root password, just in case....
Bubba is no more hackable than any other server connected to the internet, less so in fact as it as less open ports to attack......
Last edited by Clive on 11 Jun 2008, 16:41, edited 1 time in total.
UPDATE !
I've just logged onto my server via the web-admin (using my normal, non-root username) and analysed my /var/log/auth.log and got the following entry -
Jun 11 22:13:56 sydnew sudo: www-data : TTY=unknown ; PWD=/usr/share/web-admin ; USER=root ; COMMAND=/usr/lib/web-admin/backend.pl dump_file /etc/shadow
(note that this entry occurs even if a false username/password is submitted)
So your original 'Logwatch' entry looks just like a genuine login attempt to the web-admin console.... Bubba is just verifying your username/password regardless if it's correct or not...
I've just logged onto my server via the web-admin (using my normal, non-root username) and analysed my /var/log/auth.log and got the following entry -
Jun 11 22:13:56 sydnew sudo: www-data : TTY=unknown ; PWD=/usr/share/web-admin ; USER=root ; COMMAND=/usr/lib/web-admin/backend.pl dump_file /etc/shadow
(note that this entry occurs even if a false username/password is submitted)
So your original 'Logwatch' entry looks just like a genuine login attempt to the web-admin console.... Bubba is just verifying your username/password regardless if it's correct or not...
-
- Posts: 56
- Joined: 22 Jan 2008, 06:06
Ah, it seems that Clive may have hit the nail on the head.
I did some further tests with Bubba while offline from my main network and discovered the following:
There are two perl scripts used by the main Bubba code: print.pl which manages printing and backend.pl which handles "All activities that require elevated privilges"
It seems that as Clive says, user_auth.php uses backend.pl to read the user list and hashed passwords from /etc/shadow so that it can manage logins. This makes perfect sense and I can't currently think of a better way to do this.
As far as I have been able to figure out so far, there is no way to nefariously access the God-mode features in backend.pl from web-admin - but that is not a cast-iron guarantee!
Now I know the full picture, the log message is fine - but you have to admit that it looks alarming when seen out of context!
What does disappoint me is that it was more than four days before a user was able to confirm that this is normal. Assuming that this is a normal, yet alarming, log message I am surprised that a simple answer was not quickly provided by someone with detailed knowledge of the product such as Johannes or Tor. Maybe I am repeating an earlier mistake of assuming that this is the best place to come for support (it is linked from the "Customer support area" of excito.com).
I did some further tests with Bubba while offline from my main network and discovered the following:
There are two perl scripts used by the main Bubba code: print.pl which manages printing and backend.pl which handles "All activities that require elevated privilges"
It seems that as Clive says, user_auth.php uses backend.pl to read the user list and hashed passwords from /etc/shadow so that it can manage logins. This makes perfect sense and I can't currently think of a better way to do this.
As far as I have been able to figure out so far, there is no way to nefariously access the God-mode features in backend.pl from web-admin - but that is not a cast-iron guarantee!
Now I know the full picture, the log message is fine - but you have to admit that it looks alarming when seen out of context!
What does disappoint me is that it was more than four days before a user was able to confirm that this is normal. Assuming that this is a normal, yet alarming, log message I am surprised that a simple answer was not quickly provided by someone with detailed knowledge of the product such as Johannes or Tor. Maybe I am repeating an earlier mistake of assuming that this is the best place to come for support (it is linked from the "Customer support area" of excito.com).
I think if you want to guarantee a response from excito, you should email them directly (there is also an email link in the "Customer support area").
If you ask the forum, then you will have to wait until someone who knows the answer actually sees the question, which may or may not be someone who actually works for excito...
If you ask the forum, then you will have to wait until someone who knows the answer actually sees the question, which may or may not be someone who actually works for excito...