Search

Monday, August 19, 2013

SolusVM centralbackup Vulnerability

Latest Update from SolusVM on June 16 2013

In the last few hours a security exploit has been found. This email is to inform you of a temporary fix to eliminate this exploit whilst the issue is patched and transferred to our file servers for release.

Instructions:

You will need root SSH access to your master server. You are then required to delete the following file:

/usr/local/solusvm/www/centralbackup.php

Example:
rm -f /usr/local/solusvm/www/centralbackup.php

Once the file is deleted the exploit can no longer be used. This file only exists on the master server and the slaves will not be affecte
Posted by at No comments:

Module Injection or Darkleech Attack

DarkLeech is affected on Apache 2.2.2 running servers and above. The attackers infected the servers with an SSHD backdoor that enables them to upload and configure malicious Apache modules that are, in turn, used to inject malicious iFrames onto legitimate sites.

More information http://blog.sucuri.net/2013/06/new-apac ... ction.html

Remedy which I applied.

While checking the server I found "mod_suphp5.so" which is a fake module. removed so file and removed the links to so file from confs and done an easyapache again.

[/etc/httpd]# find . -name mod_suphp5.so
./modules/mod_suphp5.so

http://blog.sucuri.net/2013/04/apache-b ... rvers.html

 What is Darkleech Attack ?


- insert frames in php, html,js
  frame delivered to unique users only, no frame on repeat. << known anti-forensics. Interesting, how this implemented here, external logs or based on Apache2?

- possibility framing of traffic, that came from search engines only << looks like again Referer field?

- different modes of framing – low, standard, aggressive

- update of malicious frame from external URL

- Admins of webserver, that have ssh access to it, excluded from frame delivery. System also able to detect Admin’s IP by URL of administrative access and ban Admin IP from framing procedure.

- When root or any user in sudo group login into server, module transfer to “quiet mode”, and only when IP of the admin banned or filtered out, server proceed with infecting visitors.

- users filtered out by origin, OS version, local IP requests etc. << this is based on User-Agent, as far as I understand.

- When module detect any suspicious process in memory(tcpdump, rkhunter etc), it stop the activity

- option to encryption of framing.

As seller claim, module was used in private for 2 last years, now available for sell. Current version is 14.0


Mode written in C and PHP


 Solution:

check Apache2 config files for unknown modules upload.
In case You already found malicious module remove it

Posted by at No comments:

Enabling RDP in Plesk

In this post i'm going to familiarise between us about the topic rdesktop/remote Desktop feature in windows...

What is remote desktop ?
==================

In computing, the term remote desktop refers to a software or operating system feature that allows a personal computer's desktop environment to be run remotely on one system (usually a PC, but the concept applies equally to a server), while being displayed on a separate client device.

How does it work ?
==============

Remote desktop virtualization implementations operate as client/server computing environments. The controlling computer (referred to in this context as the client) displays a copy of the image received from the controlled computer's (in this context the server) display screen. The copy is updated on a timed interval, or when a change on screen is noticed by the remote control software. The software on the controlling computer transmits its own keyboard and mouse activity to the controlled computer, where the remote control software implements these actions. The controlled computer then behaves as if the actions were performed directly at that computer. In many cases the local display and input devices can be disabled so that the remote session cannot be viewed or interfered with.

=======MERITS===========


> A main use of remote desktop software is remote administration.

> It can also be used for "headless computers": instead of each computer having its own monitor, keyboard, and mouse.


========DE-MERITS======

> The main pc must be Kept always ON, which is a demerit which may effect the system's life time.



ENABLING RDESKTOP IN WINDOWS SERVER 2008 R2:
============================================

> Make sure that you have set password for Administrator user, otherwise login as Administrator and change password at Control Panel >> User Accounts >> User Accounts >> Change Your Password:

> To enable remote desktop, right click Computer icon
> Properties
> Remote Settings and then enable “Allow Remote Assistance connections to this computer” and “Allow connections from computers running any version of Remote Desktop (less secure)”.
> Thats it your are done!!

Now you can rdesktop to this server from your remote machine if you have rdesktop client installed in it.


eg: from a Linux machine: command: rdesktop -f <server ip> -u Administrator -p-
it will now prompt for the password:

-f >> fullscreen
-u >> user
-p- >> password


ENABLING RDESKTOP FEATURE FOR A PARTICULAR USER VIA PLESK:
==========================================================

> login to plesk
> search for the particular account in which you want to enable rdesktop.
> once thats done, navigate to the accounts
> Websites and domains
> click on Web Hosting Access
> here you can see the option "Access to the server over Remote Desktop " there change it to Login allowed.
> That all you have done!!!




While being practical regarding RDP for "users" in plesk the steps explained above is not sufficient. Once configured via plesk we have to make sure
the particular user is added in "Remote Desktop Users" group. Only the users which are added to this group will be able to access their account via RDP.

steps

Start >> Administrative Tools >> Computer Management.

In click the Local Users and Groups
Double-click Remote Desktop Users, and then click Add (You have to add the plesk user to this group)

If you want to deny RDP access for a user. First you have to deny RDP for user in hosting settings via plesk and then you have to remove the particular user from "Remote Desktop Users" in management console in windows back end. .

Now you can rdesktop to this server from your remote machine with the username and password of the account. you can follow the steps above...

Hope this will help you alot.....
Posted by at No comments:

LibClamAV Error: cli_loaddb(): No supported database files found.

LibClamAV Error: cli_loaddb(): No supported database files found in /usr/share/clamav
ERROR: Can't open file or directory


I tried the resolution steps mentioned in the below threads.
http://forums.cpanel.net/f43/problem...av-109321.html
http://forums.cpanel.net/f5/problem-clamav-154441.html


This didn't helped. The error still exists. I tried reinstalling clamav using whm still the database folder is found empty. I also tried increasing the cpanel memory to 512M. I checked the cpanel logs and checked the installation log there was not error at all. I have followed the below steps.

cd /usr/share
mkdir -p clamav
chown clamav:clamav clamav
freshclam -v

re-installed from WHM -> Plugins via UPCP. It needs to be patched or re-installed as follows:

cd /usr/local/cpanel/mod*/clam* (/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64)
./uninstall
./install

Finally I was able to solve the issue by restoring the database contents from another server "/usr/share/clamav". We copied the files bytecode.cld, daily.cld, main.cld, mirrors.dat to the server having the issue. Now clamd started working
Posted by at No comments:
Subscribe to: Posts (Atom)