Gossamer Forum
Home : Gossamer Threads Inc. : Custom Modification Jobs :

Security Improvements Needed

Quote Reply
Security Improvements Needed
My friend's Links SQL v. 2.0.4 admin (or otherwise) has been hacked into. This is a bit much for me so it looks like we might need some extra help securing the site/admin. Also, her Gossamer Forum has stopped functioning and we think the two might be related. Would this forum be the proper place to post a job like this? If so, I will post more details such as server info, etc.

Thanks in advance.

Last edited by:

Westiegirl: Dec 16, 2005, 5:06 PM
Quote Reply
Re: [Westiegirl] Security Improvements Needed In reply to
The first thing which should help in this case to rename the admin.cgi.
This is something what I asked a long time from GT staff, without success.


Note, the 2.04 version is very outdated, you should update to 3.04.
Or did you mistype it?

Best regards,
Webmaster33


Paid Support
from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...
Quote Reply
Re: [webmaster33] Security Improvements Needed In reply to
Hi Webmaster33,

No, I did not mistype the version. My friend has been using the program for a long time - I'm an not sure I can manage the update without problems since I'm not a perl or database person. I don't want to cause any problems with her database, or script. Is the newer version more secure?

Thanks,

Nadine
Quote Reply
Re: [Westiegirl] Security Improvements Needed In reply to
There were security fixes in the releases since v2.0.4.
So yes, I recommend you to upgrade to the latest version.
Please contact GT support, to ask if your upgrade can be safely done.


However mentioned problem, that the admin.cgi name is known, is still a problem, since knowing the admin place can do brute force attack against the computer...

Best regards,
Webmaster33


Paid Support
from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...
Quote Reply
Re: [webmaster33] Security Improvements Needed In reply to
Thanks Webmaster33. I agree.
Quote Reply
Re: [Westiegirl] Security Improvements Needed In reply to
Have you password protected the admin using .htaccess? If not, then good idea. Also, use 'deny from' / 'allow from' Apache directives to limit access to IP of person(s) who have administrative access.

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln
Quote Reply
Re: [dan] Security Improvements Needed In reply to
Hi Dan,

The Admin has been password protected since my friend first started using Links SQL. I have banned this person's IPs but am planning on adding the deny from/allow from in the Admin directory today.

Thanks for your reply.

Nadine
Quote Reply
Re: [Westiegirl] Security Improvements Needed In reply to
Hi Nadine:

Good idea =)

Order Deny,Allow
Deny from all
Allow from XX.XX.XX.XX

should prevent any outside parties from attempting to access your admin, or try to crack your administrative password.

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln
Quote Reply
Re: [dan] Security Improvements Needed In reply to
The problem starts when somebody wants to access admin from anywhere...

In that case only the admin path change would mean additional protection.

Best regards,
Webmaster33


Paid Support
from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...
Quote Reply
Re: [webmaster33] Security Improvements Needed In reply to
Thanks Webmaster33. I'm looking at this as a temporary solution until we can contact Gossamer support.
Quote Reply
Re: [dan] Security Improvements Needed In reply to
In Reply To:
Hi Nadine:

Good idea =)

Order Deny,Allow
Deny from all
Allow from XX.XX.XX.XX

should prevent any outside parties from attempting to access your admin, or try to crack your administrative password.

Hey Dan,

That worked! I'd added the code differently and it wasn't working but you saved the day. Thanks. Smile

Nadine
Quote Reply
Re: [Westiegirl] Security Improvements Needed In reply to
Hi,

The other thing I'd suggest is to give the system a good once over to ensure the hacker did not leave any trojan files. If so, any changes you do now may not have any effect if they've left a php or cgi script that will allow them back in at a later date.

Also, in addition to the IP restrictions, double check your .htpasswd files to ensure there are no new accounts that you don't know about. We've seen people add a new password to the list, and then changing your password won't help.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Security Improvements Needed In reply to
Thanks, Alex. I believe the site owner will be contacting Gossamer about having them do an upgrade among other things. I discovered the other day that they had added another username and I deleted it. Viewing the logs, I found that they had been trying to access using the username "admin" (there is no username admin) for a few months prior to actually getting through. At least that's the way it looked since different files are used when the Admin is actually accessed. Those files showed up in the logs later - that's when I think they finally found a way to break in. Very disconcerting. I don't understand how they can access the site via a username that doesn't exist. Anyway, after they got in they created a different username. I deleted it the other day before adjusting the .htaccess file to only allow 2 IP address for the admin directory.

All in a day's work, I suppose but I really hate people that do such things.

Nadine
Quote Reply
Re: [Alex] Security Improvements Needed - More Help Needed In reply to
I have denied all but 2 IPs from the Admin direcotry using .htaccess (mine and the site owner's). Today I notice in the error logs the site's IP is being denied - this was when the owner was working in the Admin.

Is there any case in which the site's IP (the IP this site is assigned to) will try to access the admin/admin.cgi ? I find this strange because when I was working in the Admin - I don't recall seeing that. Or is this someone trying to spoof with the site's IP (sorry, don't know the terminology for faking referrers/headers) hoping to get in?

Any help would be most appreciated.

Nadine
Quote Reply
Re: [Westiegirl] Security Improvements Needed - More Help Needed In reply to
Hi,

Have you tested the IP restriction? Make sure you have 'satisfy all' instead of 'satisfy any' (should default to all, but just in case somewhere up is specifying any):

http://httpd.apache.org/...od/core.html#satisfy

No, I don't believe you should see traffic to the admin directory from the servers ip normally. What was the request for?

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Security Improvements Needed - More Help Needed In reply to
Sorry Alex, I'm a newbie when it comes to some of this. Here is the admin's .htaccess file:
AuthUserFile /usr/dir/www/domain.com/cgi-bin/links/admin/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
AuthName Protected

require valid-user

Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
Allow from xx.xx.xx.xx

The Order Deny, Allow being added a few days ago.

I hesitate to do any more at the moment. On behalf of the site owner, I've requested a quote from Gossamer about addressing script upgrades and security issues.

The site's IP address was requesting admin/admin.cgi and subscribe.cgi among others. Here's a part cut from the access_log:
xx.xx.xx.xx - - [19/Dec/2005:17:02:56 -0800] "GET /cgi-bin/links/subscribe.cgi HTTP/1.0" 200 0 "-" "Links SQL (http://gossamer-threads.com/scripts/links-sql/)"
There are more - some that use the domain name instead of the IP number.

Nadine
Quote Reply
Re: [Westiegirl] Security Improvements Needed - More Help Needed In reply to
Hi,

Those log entries are from the link checker. This would happen if you have a link in your database for admin.cgi or subscribe.cgi.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Security Improvements Needed - More Help Needed In reply to
Wow...that's good to know. I've been scrutinizing the logs trying to figure out who it could be.

Thanks,

Nadine