Archive | Security RSS feed for this section

Search modsecurity logs more easily

Searching a SERIAL modsec audit log can be a pain. The reports are spread over various sections, and require grepping over multiple lines which is, well, not possible.

cPanel/WHM creates the logfile in /usr/local/apache/logs/modsec_audit.log

This perl script will search the log for Intercepted requests for a particular IP address

  1. #!/usr/bin/perl
  2.  
  3. # usage modsearch.pl [optional ip address]
  4.  
  5. my $ip;
  6.  
  7. if ($#ARGV == 0 ) {
  8. $ip = $ARGV[0];
  9. }
  10. # you can comment out this line to search for things other than IP address
  11. if ($ip !~ /(\d{1,3}\.){3}\d{1,3}/) {$ip='.';}
  12.  
  13. my $modseclog = '/usr/local/apache/logs/modsec_audit.log';
  14.  
  15. if (open LOGF, "<$modseclog") {
  16. # read log into array
  17. my $chunk, $line, $count;
  18. while (($chunk = <LOGF>) && !eof) {
  19. # go hunting for A entry
  20. if ($chunk =~ /--[\d\w]+-A--/) {
  21. do {
  22. $line = <LOGF>;
  23. $chunk .= $line;
  24. } until ($line =~ /--[\d\w]+-Z--/ || eof)
  25. }
  26. if ($chunk =~ m/${ip}.*Intercepted/s) {
  27. $count++;
  28. print $chunk;
  29. }
  30. }
  31. close LOGF;
  32. print $count, " matches found.\n";
  33. }

This script will output the complete sections (between A and Z) for each incident, making it much easier to track down problems.

SORBS SUCKS

Why SORBS Sucks

Now 7 days after the event, and SORBS is still listing our affected server.

Why do SORBS Suck? More to the point, why am I writing this negative blog post? I’m writing it because SORBS has demonstrated itself to be wholly unprofessional, slow, and inaccurate, and are causing real problems for genuine ISPs, and countless people.

7 days ago the hosting company I work for found a client who’s site had been hacked. It was quite nasty, and a perl script was pumping out spam at a pace. Within an hour or so, we had tracked it down and got it shut down. Too late. We had appeared on a couple of blacklists, including spamhause and spamcop, and SORBS (just 46 hits).

Within a few hours, the world recognised that we had stemmed the problem, and all was fine again… or was it…

SORBS still listed us. We tried to remove ourselves. SORBS  has to be THE worst system I’ve ever used, ever. And I’ve used some pretty bad systems. If you’re going to allow companies to use your data to make decisions about whether or not to deliver email you at least owe it to run a service that isn’t completely broken. 

Read More…

ConfigServer Exploit Scanner – external perl script to run upon detection of a match

One very useful option recently added to CXS is –script

For example, I am currently using something like:

/usr/sbin/cxs –report /var/log/cxs.scan –logfile /var/log/cxs.log –mail reports@myhost.co.uk –vir -I /etc/cxs/cxs.ignore –options mMOfSGChednWZDR –script /root/cxswatchscript.sh –xtra /etc/cxs/cxs.xtra -Z –sum -F 200000 -C /var/clamd -T 10 -B –allusers

the script defined above, /root/cxswatchscript.sh, receives 4 arguments from CXS

$1 = filename
$2 = option triggered
$3 = message reported
$4 = account name

Read More…

ConfigServer Exploit Scanner – Individual User Warning Email Script

Parse the CXS Log file for warnings, and email your customers with details of the Malware found in their accounts via a Perl script.

  • Got ConfigServer Exploit Scanner – CXS – installed on your cPanel/WHM server?
  • Doing a full server scan every now and then, and getting swamped with the reports?
  • Want a script that will trawl the reports, and email the cpanel users with their problems automatically?

Then you came to the right place! Read More…

Find and replace all timthumb.php on server – bash script

The recent vulnerablity found in the popular timthumb.php image resizer has hit websites worldwide pretty hard. Pretty easy to deal with if you are just running your own site – just replace the script with the latest version from the source.

If you are running a hosting company, then you have either mitigated the issue somehow, or your helpdesk is probably still hung over from the after effects of exploited timthumb scripts.

So, cutting to the chase, here’s a script that I have used to run through whole cPanel based servers, looking for files called timthumb.php or thumb.php, which contain the text “timthumb” (almost every instance I have seen of the script contains this code in it somewhere).

It then moves/renames the file to something safe, and copies over the latest source from a location you can tweak in the script, and then sets the ownership and permissions correctly (assuming you are running suPHP).

The bash script:

Obviously, the usual disclaimers apply here – You are free to use this script, but NO responsibility can be accepted for anything that goes wrong if you choose to!

This is actually version 2, as it were – I have modified the script so that it now looks for the version number within the script and only updates versions that do not match those shown in the if statement.

#!/bin/bash
IFS="$"
###################################################################
##  timthumb correction                                          ##
###################################################################
 
GOODTHUMB="/root/scripts/timthumb.php"
 
###########################
##  Assign temp file     ##
###########################
TMPFILE="/tmp/healthchk.$$.tmp"
if [ -f ${TMPFILE} ]; then
   rm -f ${TMPFILE}
fi
 
# set pwd to tmp
cd /tmp
 
###########################
##  Create temp file     ##
###########################
setup_temp_file() {
  if [ -e $1 ]; then
     rm -f $1
  fi
  /bin/touch $1
  /bin/chown root:root $1
  /bin/chmod 0600 $1
}
 
##########################################################
##  SCRIPT BEGINS HERE                                  ##
##########################################################
 
echo "This script will check all home directories for timthumb..."
 
unset CPUSER CPHOME
 
/bin/ls -- /var/cpanel/users | /bin/grep -v "\`\|\.\|cpanel\|root\|mysql\|nobody" | while read CPUSER; do
   CPHOME="$(/bin/grep "^${CPUSER}:" /etc/passwd | cut -d':' -f6)/public_html"
   echo -e "\nChecking user ${CPUSER} - home directory = ${CPHOME}"
   echo "Checking ${CPHOME} ... "
   if [ -d ${CPHOME} ]; then
 
     #####################################
     ## Start looking for timthumb!     ##
     #####################################
     setup_temp_file ${TMPFILE} 
 
     /usr/bin/find ${CPHOME} -type f \( -iname "timthumb.php" -o -iname "thumb.php" \) >> ${TMPFILE} 2> /dev/null
     /bin/cat -- ${TMPFILE} | while read TARGET; do
         # every version of the script I have seen contains the string timthumb somewhere
        ISITBUTTER="$(/bin/grep -i timthumb ${TARGET} )"
        THEVERSION="$(/bin/grep -o "VERSION.*'[0-9\.]*'" ${TARGET} | /bin/grep -Eo "[0-9].[0-9]+" )"
        if [ ${#THEVERSION} -gt 1 ]; then # prevent crash on empty variable in next if test
            # You can modify the versions to accept (i.e. not modify) below
            if [ ${#ISITBUTTER} -gt 1 -a ${THEVERSION} != "2.8" -a ${THEVERSION} != "2.7" ]; then
                echo "Found one!: ${TARGET}    version ${THEVERSION}"
                mv ${TARGET} "${TARGET}._removedbykrystal"
                cp ${GOODTHUMB} ${TARGET}
                /bin/chown ${CPUSER}:${CPUSER} ${TARGET}
                /bin/chmod 640 ${TARGET}
            fi
        fi
     done
 
   fi
done
##  Clean up any trace
if [ -e ${TMPFILE} ]; then
   rm -f ${TMPFILE}
fi

 

Ziphost – Protect your website from malware

To cut a long story short – if you want to protect your online presence from hackers, and avoid getting banned from Google, then you can do a lot worse than host your website with Ziphost, our sister company.

Yes, this is a bit of shameless self promotion, but we want people to understand that unlike almost every other hosting provider in the UK, Ziphost provide an extra level of protection by offering SecurityBoost on ALL hosting accounts. Read More…