The Hacked Server Hangover

by Arnaud Bouchot on April 24, 2014 4 comments

Every Server Admin managing a shared hosting environment knows what the hacked server hangover is like:
– it is painful
– it is frustrating, because it happens despite the strict security you already put in place, already having an antivirus in place, strict firewall rules, upgraded services…
and
– it almost always starts with the same – boring – story
“once upon a time one of your users installed WordPress and forgot about it”, leaving it in a corner of his space and letting it get to a point where it’s several versions older than the current releases -> full of security holes.
I could talk for much longer about these CMSes, Not only WordPress, but basically the security holes are more often originating from the third party templates, plugins, or custom developments rather than the WordPress or other CMSes themselves. These old unmaintained installations make the ideal ground for all the exploit scanners that intruders/hackers are using to get access to your servers. Most of the time a malware has been injected after a series of XSS (Cross-site scripting) attacks or SQL injection exploits in the user’s folder.
The pain is propagating as far as it can to suck out all the resources it can take from your server, in some extreme cases you could also lose access to your own server… Generally, the first symptoms will come with an excess of emails in the queue – thousaaaaaaands – of garbage emails delivering the best offers to the whole world, from your shared server IP -> disaster, in this case where the server is used as a spamming resource, you will also find out that the infected user’s websites have been defaced and are now used to relay the spam sent and host temporary phishing pages to try to steal people’s sensitive data (generally banking details).
This also has a few exciting side effects like exposing your server to high CPU load, leading to such poor performance that you almost cannot SSH-in anymore.

It’s bad times and the fun has just started but action has to be taken as quickly as possible because you are in a very bad spiral of events; next steps are your IP being reported to the DNSBL (DNS Black Listing) -> server blacklisted -> Ip reputation downgraded – break down.

All you need is a hug, a fast, efficient painkiller and a good way of preventing it from ever happening again.

You can ask around for the hug, if you are not spending too much time on your servers I’m sure you’ll find a friend – easy.

I can provide painkillers :

Linux Malware Detect (LMD) is a malware scanner that detects and removes malware on your Linux server. It says it all. It is particulary great for webservers in shared hosting environment and this is LMD’s main focus.

The threat landscape in shared hosted environments is different from the scenario typically addressed by the standard Anti Virus products. These detect primarily OS level trojans, rootkits and traditional file-infecting viruses but are quite poor at detecting the increasing variety of malware at the user account level which serves as an attack platform.

Linux Malet uses MD5 file hashes and HEX pattern matches as signatures.
These signatures are built from malware data that was delivered by IPSes, community data, ClamAV and user submissions.

I have implemented LMD on every Linux Webserver that I install, even my own laptop:

let’s take it onboard.

Please note that you need a linux server, the root access and a bit of paranoia – also in case you are wondering, LMD is already watching all our On-Rev servers.

1) Download the latest LMD package.

# cd /tmp
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

2) Install it

# tar xfz maldetect-current.tar.gz
# cd maldetect-*
# ./install.sh

3) configure it

(every param in the config file is commented)

# nano /usr/local/maldetect/conf.maldet

here's a sample file

# [ EMAIL ALERTS ]
##
# The default email alert toggle
# [0 = disabled, 1 = enabled]
email_alert=1

# The subject line for email alerts
email_subj="maldet alert from $(hostname)"

# The destination addresses for email alerts
# [ values are comma (,) spaced ]
email_addr="you@domain.com"

# Ignore e-mail alerts for reports in which all hits have been cleaned.
# This is ideal on very busy servers where cleaned hits can drown out
# other more actionable reports.
email_ignore_clean=0

##
# [ QUARANTINE OPTIONS ]
##
# The default quarantine action for malware hits
# [0 = alert only, 1 = move to quarantine & alert]
quar_hits=1

# Try to clean string based malware injections
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = clean]
quar_clean=1

# The default suspend action for users wih hits
# Cpanel suspend or set shell /bin/false on non-Cpanel
# [NOTE: quar_hits=1 required]
# [0 = disabled, 1 = suspend account]
quar_susp=0
# minimum userid that can be suspended
quar_susp_minuid=500

4) Manual Scans and Usage

You may just wanna scan the “suspect” user, so that’d be the command you’d want to run.

# maldet --scan-all /home/suspect/

The following command is good to know too, If you previously ran a scan but forgot to turn on the quarantine option, you still can quarantine or clean all previous malware scan results using their SCANID :

# maldet --quarantine SCANID

OR

# maldet --clean SCANID

5) Daily Scans

By default LMD script is located here /etc/cron.daily/maldet and it performs a daily scans, update of signatures, quarantine etc, and sends a daily report of malware scan to your specified emails. The apache folders are already listed but if you need to add additional paths to be scanned, then you will need to add them here:

# nano /etc/cron.daily/maldet

Voila, after having cured a few servers and saved -a lot- of time using LMD I felt I had to tell you about it, hoping it will be as useful to some of you as it has been to me.

Finally I would like to add a little something about WordPress, I like wordpress and the only reason I have mentioned it in our catastrophe scenario above is because this is by far the most popular CMS and so you get a higher probability to find out it has been the gateway of some hack, just because of it’s popular. This does not mean that WordPress is less secure than other CMSes like Joomla or Drupal. As long as you keep your WordPress up to date and respect a few things you’re ok, I could eventually detail these rules in a future blog post.

read more
Arnaud BouchotThe Hacked Server Hangover

better, faster, stronger

by Arnaud Bouchot on March 19, 2014 7 comments

As Twitter Bootstrap released version 3 of its powerful front-end framework recently, I thought introducing it to those of you that are doing some webdev and haven’t used it yet would be a good idea.

 

bootstrap_logo-298x300

 

Note : At this point I assume that you speak a bit of HTML and CSS, and that you have already used jQuery for some of your web projects before as the Javascript library of bootstrap requires jQuery.

 

“I’ve never heard of Twitter bootstrap, what is it” ?

That’s fine… If you have been living on Mars since it released in 2011 or came to web development later on then you have a decent excuse. Bootstrap is a powerful Javascript and CSS framework that allows you to make high standard responsive websites in minutes. Basically this is providing you with all the Javascript and CSS power you will ever need to build a rich UI. Bootstrap has done all the good work to make sure you will not need to worry too much about Cross-Browser Compatibility check, it’s using the last goodness of HTML5 and CSS3 in an advanced fashion. Bootstrap is open source and so well documented that you do not even need to be a Front-End dev genius to come up with something sexy. I have forgot to mention that Bootstrap has been created by two talented Twitter Developers and that now huge names of the web are using it, like Mailchimp for example. I promise, In less than 10 mins you’ll be all setup to use it.  

 

Let’s get setup then

Download Bootstrap Framework here : https://github.com/twbs/bootstrap/releases/downoload/v3.1.1/bootstrap-3.1.1-dist.zip

Now create a “tutorial” folder and unzip the compressed folder into “tutorial” to see the structure of (the compiled) Bootstrap. You’ll see something like this:

tutorial
├──
   bootstrap/
   ├── css/
   │   ├── bootstrap.css
   │   ├── bootstrap.min.css
   │   ├── bootstrap-theme.css
   │   └── bootstrap-theme.min.css
   ├── js/
   │   ├── bootstrap.js
   │   └── bootstrap.min.js
   └── fonts/
       ├── glyphicons-halflings-regular.eot
       ├── glyphicons-halflings-regular.svg
       ├── glyphicons-halflings-regular.ttf
       └── glyphicons-halflings-regular.woff

What we have here is the most basic form of Bootstrap: precompiled files for quick drop-in usage in nearly any web project.   In the example above we will be requiring the minified versions of the CSS and Javascript, the glyphicons files in the fonts folder have been implemented in version 3 to provide a built in icons library, you can preview these icons here : http://getbootstrap.com/components/ we also need jQuery as the bootstrap Javascript requires it.

 

Let’s build that page now!

bootstrap3-screenshot

Create an index.html file in the root of “tutorial” folder and paste the following code :

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="description" content="">
    <meta name="author" content="">

    <title>Jumbotron Template for Bootstrap</title>

    <!-- Bootstrap core CSS -->
    <link href="css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom styles for this template -->
    <!-- <link href="jumbotron.css" rel="stylesheet"> -->
  </head>

  <body>

    <div class="navbar navbar-default navbar-fixed-top" role="navigation">
      <div class="container">
        <div class="navbar-header">
          <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
            <span class="sr-only">Toggle navigation</span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
            <span class="icon-bar"></span>
          </button>
          <a class="navbar-brand" href="#">Project name</a>
        </div>
        <div class="navbar-collapse collapse">
          <form class="navbar-form navbar-right" role="form">
            <div class="form-group">
              <input type="text" placeholder="Email" class="form-control">
            </div>
            <div class="form-group">
              <input type="password" placeholder="Password" class="form-control">
            </div>
            <button type="submit" class="btn btn-success">Sign in</button>
          </form>
        </div><!--/.navbar-collapse -->
      </div>
    </div>

    <!-- Main jumbotron for a primary marketing message or call to action -->
    <div class="jumbotron">
      <div class="container">
        <h1>Hello, world!</h1>
        <p>This is a template for a simple marketing or informational website. It includes a large callout called a jumbotron and three supporting pieces of content. Use it as a starting point to create something more unique.</p>
        <p><a class="btn btn-primary btn-lg" role="button">Learn more &raquo;</a></p>
      </div>
    </div>

    <div class="container">
      <!-- Example row of columns -->
      <div class="row">
        <div class="col-md-4">
          <h2>Heading 1</h2>
          <p>Donec id elit non mi porta gravida at eget metus. Fusce dapibus, tellus ac cursus commodo, tortor mauris condimentum nibh, ut fermentum massa justo sit amet risus. Etiam porta sem malesuada magna mollis euismod. Donec sed odio dui. </p>
          <p><a class="btn btn-default" href="#" role="button">View details &raquo;</a></p>
        </div>
        <div class="col-md-4">
          <h2>Heading 2</h2>
          <p>Donec id elit non mi porta gravida at eget metus. Fusce dapibus, tellus ac cursus commodo, tortor mauris condimentum nibh, ut fermentum massa justo sit amet risus. Etiam porta sem malesuada magna mollis euismod. Donec sed odio dui. </p>
          <p><a class="btn btn-default" href="#" role="button">View details &raquo;</a></p>
       </div>
        <div class="col-md-4">
          <h2>Heading 3</h2>
          <p>Donec sed odio dui. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Vestibulum id ligula porta felis euismod semper. Fusce dapibus, tellus ac cursus commodo, tortor mauris condimentum nibh, ut fermentum massa justo sit amet risus.</p>
          <p><a class="btn btn-default" href="#" role="button">View details &raquo;</a></p>
        </div>
      </div>

      <hr>

      <footer>
        <p>&copy; Company 2014</p>
      </footer>
    </div> <!-- /container -->


    <!-- Bootstrap core JavaScript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js"></script>
    <script src="js/bootstrap.min.js"></script>
  </body>
</html>

Note I have been taking this html from the examples they provide here : http://getbootstrap.com/getting-started/#examples

 

we have been including 3 files – the bootstrap CSS between <head></head>

<link href="css/bootstrap.min.css" rel="stylesheet">

– jQuery from the google apis server and bootstrap javascript from our framework just before closing the </body>

<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>

 

Let’s tweak it.

according to this awesome documentation : http://getbootstrap.com/components

 

We could change the appearance of the top navbar so it would stand up better from the banner that’s above. We can do this by replacing the css class “navbar-default” with “navbar-inverse” in the “navbar” container div tag, the colors we had in the navbar will be inverted. The nav bar container is :

<div class="navbar navbar-default navbar-fixed-top" role="navigation">

So replace the line above with :

<div class="navbar navbar-inverse navbar-fixed-top" role="navigation">

Now let’s add more links into the nav bar, Replace :

<div class="navbar-collapse collapse">

with :

<div class="navbar-collapse collapse">
     <ul class="nav navbar-nav">
        <li class="active"><a href="#">Link</a></li>
        <li><a href="#">Link</a></li>
        <li class="dropdown">
          <a href="#" class="dropdown-toggle" data-toggle="dropdown">Dropdown <b class="caret"></b></a>
          <ul class="dropdown-menu">
            <li><a href="#">Action</a></li>
            <li><a href="#">Another action</a></li>
            <li><a href="#">Something else here</a></li>
            <li class="divider"></li>
            <li><a href="#">Separated link</a></li>
            <li class="divider"></li>
            <li><a href="#">One more separated link</a></li>
          </ul>
        </li>
      </ul>

Note: the code we have added here has to be contained within the div having the class “navbar-collapse”, so the menu items are correctly positionned when you are viewing the page on a mobile, or reducing the viewport.

 

Let’s add a little fancy icon before Heading 1 Replace:

<h2>Heading 1</h2>

With:

<h2><span class="glyphicon glyphicon-thumbs-up"></span> Heading 1</h2>

 

You can continue to play adding/tweaking components using the doc here: http://getbootstrap.com/components

Once you have a precise project in mind you will very likely need to change the layout of your pages to design a blog, a store or simple content etc; At this point you will need to get familiar with building within the Bootstrap grid system, organising your content into column and rows that will automatically stack depending on the size of the screen. You will find all you need about the bootstrap grid system here : http://getbootstrap.com/css/

You could also build you own customised framework, bring your branding, colors and select the javascript you need if you do not need the whole bunch of functionalities included in the default framework : http://getbootstrap.com/customize/

 

This was a quick introduction and I hope that you already realize how much time you could save using this framework.

LiveCode Server and Bootstrap are including the same approach to better, faster, stronger. Spend less time doing more using a short and clean syntax. I believe it is a very good idea to use bootstrap along with your Livecode Server Web Projects, building a stunning responsive website, or simply giving a nice and tidy documentation for your last LiveCode Mobile App.

read more
Arnaud Bouchotbetter, faster, stronger