Install mod_GeoIP2 on Apache2 in CentOS 7

geoip-centos

If you need to install the excellent mod_geoip2 extension for Apache2 then it can be done fairly painlessly. First off, we need to make sure that we have gcc installed:

gcc --version

 

If you don’t have it then you could ‘yum install gcc’, but I prefer to install all development tools because they include gcc anyway:

yum groupinstall 'Development Tools'

 

Install the GeoIP development package

yum install geoip-devel

 

Install mod_geoip2 by fetching the latest version with wget. To check the latest version, take a look here first:

https://github.com/maxmind/geoip-api-mod_geoip2/releases

 

I’m installing 1.2.10 here with this, but replace the code in lines 1, 2 and 3 here with their latest version:

 wget https://github.com/maxmind/geoip-api-mod_geoip2/archive/1.2.10.tar.gz
 tar -zxvf 1.2.10.tar.gz
 cd geoip-api-mod_geoip2-1.2.10

 

Now we use the apxs (Apache Extension Tool) to build our extension modules for Apache:

apxs -i -a -L/usr/local/lib -I/usr/local/include -lGeoIP -c mod_geoip.c

 

If you haven’t got apxs then you’ll need to install httpd-devel.

Be aware that this overwrites httpd so backup your server in case this fails or you get strange results.

yum install httpd-devel

 

If this fails with “Error: Nothing to do”, then it’s fairly common. You’ll probably find that /etc/yum.conf is blocking the installation. We can get around this by either editing the configuration file or typing:

yum --disableexcludes=all install httpd-devel

 

You should now have mod_geoip2 installed on your server!


Country codes for mod_security, CSF and htaccess

Her’s a list of useful country codes that we can use in many rule-based filtering situations on servers.

AD Andorra
AE United Arab Emirates
AF Afghanistan
AG Antigua and Barbuda
AI Anguilla
AL Albania
AM Armenia
AN Netherlands Antilles
AO Angola
AQ Antarctica
AR Argentina
AS American Samoa
AT Austria
AU Australia
AW Aruba
AZ Azerbaijan
BA Bosnia and Herzegovina
BB Barbados
BD Bangladesh
BE Belgium
BF Burkina Faso
BG Bulgaria
BH Bahrain
BI Burundi
BJ Benin
BM Bermuda
BN Brunei Darussalam
BO Bolivia
BR Brazil
BS Bahamas
BT Bhutan
BV Bouvet Island
BW Botswana
BY Belarus
BZ Belize
CA Canada
CC Cocos (Keeling) Islands
CF Central African Republic
CG Congo
CH Switzerland
CI Cote D’Ivoire (Ivory Coast)
CK Cook Islands
CL Chile
CM Cameroon
CN China
CO Colombia
CR Costa Rica
CS Czechoslovakia (former Republic)
CU Cuba
CV Cape Verde
CX Christmas Island
CY Cyprus
CZ Czech Republic
DE Germany
DJ Djibouti
DK Denmark
DM Dominica
DO Dominican Republic
DZ Algeria
EC Ecuador
EE Estonia
EG Egypt
EH Western Sahara
ER Eritrea
ES Spain
ET Ethiopia
FI Finland
FJ Fiji
FK Falkland Islands (Malvinas)
FM Micronesia
FO Faroe Islands
FR France
FX France, Metropolitan
GA Gabon
GB Great Britain (UK)
GD Grenada
GE Georgia
GF French Guiana
GH Ghana
GI Gibraltar
GL Greenland
GM Gambia
GN Guinea
GP Guadeloupe
GQ Equatorial Guinea
GR Greece
GS S. Georgia and S. Sandwich Isls.
GT Guatemala
GU Guam
GW Guinea-Bissau
GY Guyana
HK Hong Kong
HM Heard and McDonald Islands
HN Honduras
HR Croatia (Hrvatska)
HT Haiti
HU Hungary
ID Indonesia
IE Ireland
IL Israel
IN India
IO British Indian Ocean Territory
IQ Iraq
IR Iran
IS Iceland
IT Italy
JM Jamaica
JO Jordan
JP Japan
KE Kenya
KG Kyrgyzstan
KH Cambodia
KI Kiribati
KM Comoros
KN Saint Kitts and Nevis
KP Korea (North)
KR Korea (South)
KW Kuwait
KY Cayman Islands
KZ Kazakhstan
LA Laos
LB Lebanon
LC Saint Lucia
LI Liechtenstein
LK Sri Lanka
LR Liberia
LS Lesotho
LT Lithuania
LU Luxembourg
LV Latvia
LY Libya
MA Morocco
MC Monaco
MD Moldova
MG Madagascar
MH Marshall Islands
MK Macedonia
ML Mali
MM Myanmar
MN Mongolia
MO Macau
MP Northern Mariana Islands
MQ Martinique
MR Mauritania
MS Montserrat
MT Malta
MU Mauritius
MV Maldives
MW Malawi
MX Mexico
MY Malaysia
MZ Mozambique
NA Namibia
NC New Caledonia
NE Niger
NF Norfolk Island
NG Nigeria
NI Nicaragua
NL Netherlands
NO Norway
NP Nepal
NR Nauru
NT Neutral Zone
NU Niue
NZ New Zealand (Aotearoa)
OM Oman
PA Panama
PE Peru
PF French Polynesia
PG Papua New Guinea
PH Philippines
PK Pakistan
PL Poland
PM St. Pierre and Miquelon
PN Pitcairn
PR Puerto Rico
PT Portugal
PW Palau
PY Paraguay
QA Qatar
RE Reunion
RO Romania
RU Russian Federation
RW Rwanda
SA Saudi Arabia
Sb Solomon Islands
SC Seychelles
SD Sudan
SE Sweden
SG Singapore
SH St. Helena
SI Slovenia
SJ Svalbard and Jan Mayen Islands
SK Slovak Republic
SL Sierra Leone
SM San Marino
SN Senegal
SO Somalia
SR Suriname
ST Sao Tome and Principe
SU USSR (former)
SV El Salvador
SY Syria
SZ Swaziland
TC Turks and Caicos Islands
TD Chad
TF French Southern Territories
TG Togo
TH Thailand
TJ Tajikistan
TK Tokelau
TM Turkmenistan
TN Tunisia
TO Tonga
TP East Timor
TR Turkey
TT Trinidad and Tobago
TV Tuvalu
TW Taiwan
TZ Tanzania
UA Ukraine
UG Uganda
UK United Kingdom
UM US Minor Outlying Islands
US United States
UY Uruguay
UZ Uzbekistan
VA Vatican City State (Holy See)
VC Saint Vincent and the Grenadines
VE Venezuela
VG Virgin Islands (British)
VI Virgin Islands (U.S.)
VN Viet Nam
VU Vanuatu
WF Wallis and Futuna Islands
WS Samoa
YE Yemen
YT Mayotte
YU Yugoslavia
ZA South Africa
ZM Zambia
ZR Zaire
ZW Zimbabwe

A few lesser-used ones below, but for completeness here they are:

ARPA Arpanet
COM US Commercial
EDU US Educational
GOV US Government
INT International
MIL US Military
NATO Nato field
NET Network
ORG Non-Profit Organization


Find what emails are being sent from a Linux server

find-emails-sent-from-linux-serverIn this series of articles I am trying to help server admins and owners of VPS or Dedicated servers to find viruses or malware on their servers. Part of the diagnosis of your system is to see what emails are being sent out and from which accounts. Since spammers like to use compromised servers, I believe that it makes sense to check regularly that the emails being sent out roughly match what you would expect to see.

I have servers that I host client websites on. If a client who usually sends out 20 emails a month suddenly sends out 500 then this is cause for concern and I would immediately investigate the server for malware.

On linux systems, Exim (the mail transfer agent) already logs the working directory of messages sent to the queue by a script. Here’s an example of what you would expect to see in an exim_mainlog file:

2015-08-10 13:52:28 cwd=/home/fredb/public_html 3 args: /usr/sbin/sendmail -t -i
2015-08-10 13:52:28 1ZOmZ2-0004XN-GK <= [email protected] U=fredbloggs P=local S=133267 [email protected] T="Site Database Backup Monday, August 10th, 2015 at 1:52 pm" for [email protected]
2015-08-10 13:52:28 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ZEmZ2-0004XE-EK
2015-08-10 13:52:29 1ZEmZ2-0004XE-EK SMTP connection outbound 123459211149 1ZEmZ2-0004XE-GE fredbloggs.co.uk [email protected]

Note: I like to use Notepad++ to analyze these large text files within Windows as other editors aren’t quite up to the task.

So it looks like there’s some function of the ‘fredbloggs’ website that auto-backs up the database, then sends a related email notice to whatever email address the webmaster provides, in this case, [email protected]. The working directory for the generation of that message was “/home/fredbloggs/public_html”. Nothing suspicious here as we have an auto-backup program installed on this WordPress-powered website. Nothing to see here, move along please…

Here’s another example:

2015-08-03 12:00:15 cwd=/home/janedoe/public_html/wp-admin 3 args: /usr/sbin/sendmail -t -i
2015-08-03 12:00:15 1ZQDTb-0005QW-5k <= [email protected] U=janedoe P=local S=989 [email protected] T="[https://janedoe.co.uk] WordPress Login Address Changed" for [email protected]

Again, possibly normal but I’d raise the question whether Jane changed her email address on WordPress. If not, this is cause for concern.  It’s a kind of detective work where you need to step back and look at all of the evidence to compile a big picture.

So, let’s run this beauty of a command against the exim_mainlog to give us an idea from which working directories our server gets messages sent to the mail queue:

zgrep "cwd=" /var/log/exim_mainlog*|awk '{print $3}'|sort|uniq -c|sort -n|sed 's/cwd=//g'

The exim_mainlog records the arrival and delivery of all emails. It explains where the mail came from, to which address it was delivered, the hostname of the server and more. Additional details can be added to this log file by using extended logging in exim. Your output would be something like this on most systems:

8 /home/janedoe/public_html/wp-content/plugins/cforms

So within the last 30 days, the /cforms directory has sent 8 messages to the queue. Cforms is a defunct WordPress plugin and now, as such, unsupported by the developer against exploits. Would you expect that Jane’s website should do that? A result like this isn’t necessarily suspicious as this is normal contact form use. Something like this, however, would be VERY suspicious:

815 /home/janedoe/public_html/images

I can’t think of a valid reason why an ‘images’ directory should be sending mail, so alarm bells would trigger and that’s definitely something I would look into further.

So, presuming we saw strange usage numbers or a bizarre path, let’s dig even deeper and look at what the Subject of Jane’s emails actually were, as this gives us an indication of spam activity. Change directory into /var/log

cd /var/log

Now run this:

zgrep -A 1 "/home/jane" exim_mainlog* |grep T= |awk -F T= '{print $2}' |sort | uniq -c |sort -n |awk -F " for " '{print $1}'

Nice, it returns a list like this which tells us all we want to know:

1 "Akismet: Spam - Jane Doe Books Contact Form: Pay only when you get results"
1 "Jane Doe Books Contact Form: Help with my book club "
1 "Site Database Backup Friday, July 17th, 2015 at 10:02 am"
1 "Site Database Backup Friday, July 27th, 2015 at 1:02 pm"
1 "Site Database Backup Friday, July 31st, 2015 at 10:36 pm"
1 "[Jane Doe Books] Your site has updated to WordPress 4.2.3"
1 "[Jane Doe Books] Your site has updated to WordPress 4.2.4"

Again, no cause for concern and the only spammy one there would be the first one, already marked as such by Akismet.

If you have lots of adverts for cheap meds or blue pills in there then you need to find the offending code that’s pushing spam through your email system. Start with a virus scan on your Linux server

Hope this helps and feel free to drop me a comment below.

 


Tresorit pushes security above and beyond

TresoritI am certainly impressed by the way that Tresorit seems to be handling security and also the openness of their company about methods they use and reject.

Their recent blog post shows that they are really trying to excel in the online backup industry by pushing current protocols beyond the standard ‘accepted’ limits.

When we designed Tresorit, we were faced with two contrary options: using widespread, well-tested, standardized, industry standard protocols and creating (or implementing) new, stronger protocols. We decided to combine the best of these approaches: we use the strongest standard one, and extend it with our protocol on a way that if our protocol fails, it fallback to the standard one.

I worked for many years in the computer security and penetration testing arena and most encryption methods I previously struggled to get past are now easily cracked by anyone with a laptop, some free software and some common sense. Times move on and you can’t presume something is safe because there are no current published exploits for it.

Tresorit is a relatively new but forward-thinking company that seem to have got their security levels right rather than waiting on the day they are compromised to address this. Keep up the good work Tresorit and keep pushing the boundaries of encryption.

https://tresorit.com


Tim Thumb exploit – vulnerability found in popular script

The popular image resizing library TimThumb, used in many a good WordPress theme has had a major exploit carried out against versions of its code. The TimThumb code vulnerability allows third parties to execute PHP code in the TimThumb cache directory after uploading it themselves. As many people are aware, running malicious PHP code can easily compromise a website or an entire server.

We recommended deleting timthumb.php or thumb.php or indeed the complete theme or plugin when this zero day exploit was announced. There is a later version of TimThumb available that now patches this vulnerability.

If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or just the relevant plugin directory. After you remove the TimThumb library, check your site is still working as it should.

If using the later version, please check that you  set ALLOW_EXTERNAL to false like this:

define( 'ALLOW_EXTERNAL', false );

then find the $allowedSites array inside the file and completely remove the associated domain names to prevent remote file downloading like this:

$allowedSites = array();

Woo Themes security risk

Heads up to anyone using Woo Themes, there’s a vulnerability in the “shortcode preview generator” within the Woo Framework. This needs patching asap.

https://www.woothemes.com/2012/04/framework-shortcode-exploit-has-been-fixed/

Credit to Woo, they have handled the release of their security update well, despite being in the throes of a DDOS attack themselves.

Expect to see the bots coming looking for that exploit very soon!


Minecraft suffering DOS attacks from hackers

Minecraft servers hacked by DOS attackMinecraft, the multiplayer, block-destroying game has had a serious DOS attack. Although as yet unproven, it is believed to be the work of the hacker group ‘Anonymous’.  The servers did go down but are currently back up and running.

Another group, LulzSec, have been finger-pointed too and they are now taking ‘site hacking requests’!  Their recent attacks include EVE Online and The Escapist amongst others.

Minecraft official release date

Minecraft’s official release date is currently November 2011. It is only available as a beta version until then.

 


LastPass hack causes password problems – offline mode suggested

LastPass has been subject to a serious hack attack. If you are getting errors where LastPass cannot log you in then your first step is to attempt a login via the plugin AND via the website immediately afterwards.

LP stated that significant traffic had left one of its primary servers – traffic that could have included the users’ email addresses, server salt and salted password hashes. Whilst this is often normal, LP couldn’t track down the root cause and elevated this to a high risk level.

As news filters in of the attack, people with LastPass accounts are hitting their servers trying to change their passwords. This is putting a huge strain on the LastPass servers and consequently they are trying to reduce the load while trying to keep security at a maximum.

You should change your LastPass master password if it is not a very secure one immediately. By not secure I mean anything from the dictionary or common passwords like Letmein, L3tM3In, abc123, pa55word etc. The reason for this is that the breach of LastPass’s security systems allowed an attack that could potentially “reverse” the encrypted password stored and generate your password to the attacker. This type of ‘brute-force’ attack works quickly on weak passwords but takes, months, years even decades depending on the complexity of a password. The best type of password contains a mixture of capital letters, numbers, non-alphabetical characters (!, *, $ etc) and is a minimum of eight characters in length.

LastPass have been proactive in this and immediately owned up to the event which I believe is admirable. The fact that they didn’t email every user is a failure though, even if they simply pointed people towards their website with an explanation.

For me, if the system has been breached and the cause unknown, asking for password changes is a very dubious course of action. LP have now changed the method so that you can temporarily authenticate a PC via an email link.

With some users getting a message like “Your account settings have restricted you from logging in from this mobile device.” they have had to resort to exporting contacts and deleting/recreating their LastPass account.

Comments?


TinyBrowser plugin exploit common on Joomla 1.5 installations

I tested this against Joomla 1.5.12 and indeed it is a security hole that can easily be exploited.

TinyBrowser is a plugin for the TinyMCE JavaScript editor that acts as a file browser to view, upload, delete and rename files and folders on your server.

Vulnerabilities

1. Default Insecure Configurations

Configuration settings shipped by default in the Tiny Browser are insecure and many uploaders of this plugin will not change them.  I have recently audited a couple of Joomla based sites for clients and found this to be the case.
jscripts/tiny_mce/plugins/tinybrowser is the default access path.

I remember fckeditor suffering a similar problem a while back and the final payload in a teaser directory is very similar.

2. Folder Creation by path request

Requesting /tinybrowser.php?type=image&folder=abc123 creates a folder named “abc123″ in the /useruploads/images/ directory.

3. File hosting attack

File: config_tinybrowser.php
Code:
// File upload size limit (0 is unlimited)
$tinybrowser[‘maxsize’][‘image’] = 0; // Image file maximum size
$tinybrowser[‘maxsize’][‘media’] = 0; // Media file maximum size
$tinybrowser[‘maxsize’][‘file’] = 0; // Other file maximum size
$tinybrowser[‘prohibited’] =
array(‘php’,’php3′,’php4′,’php5′,’phtml’,’asp’,’aspx’,’ascx’,’jsp’,’cfm’,’c
fc’,’pl’,’bat’,’exe’,’dll’,’reg’,’cgi’, ‘sh’,
‘py’,’asa’,’asax’,’config’,’com’,’inc’);
// Prohibited file extensions

There appears to be no maximum allowable upload (obviously the server may have this locked down).

To overwrite, we simply need to create a hidden directory by requesting
[full pathname]/upload.php?type=file&folder=.hiddendir

Then it’s a matter of going to /upload.php?type=file&folder=.hiddendir

My clients had Trojans in that folder, ready to be clicked and drop their payload onto the server.  Nasty. 

4. Cross-site Scripting

Most GET/POST variables are not sanitised.

File: upload.php
Code:
$goodqty = (isset($_GET[‘goodfiles’]) ? $_GET[‘goodfiles’] : 0);
$badqty = (isset($_GET[‘badfiles’]) ? $_GET[‘badfiles’] : 0);
$dupqty = (isset($_GET[‘dupfiles’]) ? $_GET[‘dupfiles’] : 0);

Exploit: upload.php?badfiles=1”><script>alert(/XSS/)</script>

5. Cross-site Request Forgeries

All major actions such as create,delete,rename files/folders are GET/POST
XSRF-able.

All in all, a nasty vulnerability that requires instant patching.  I am seeing lots of requests for this pathname on non-Joomla sites so there are lots of automated bot attacks out there.  Patch up or be hacked.