Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security IT Apache

Doorways Sneak To Non-Default Ports of Hacked Servers 63

Posted by timothy
from the buncha-jerkfaces dept.
UnmaskParasites writes "To drive traffic to their online stores, software pirates hack reputable legitimate websites injecting hidden spammy links and creating doorway pages. Google's search results are seriously poisoned by such doorways. Negligence of webmasters of compromised sites makes this scheme viable — doorways remain unnoticed for years. Not so long ago, hackers began to re-configure Apache on compromised servers to make them serve doorway pages off of non-default ports, still taking advantage of using established domain names."
This discussion has been archived. No new comments can be posted.

Doorways Sneak To Non-Default Ports of Hacked Servers

Comments Filter:
  • by mykos (1627575) on Saturday December 04, 2010 @03:58PM (#34445588)
    This seems more like they're boarding ships than infringing on copyright.
    • by Xtifr (1323)

      Are we finally using the term "pirates" correctly?

      Correctly? You think there's a "the" correct usage? I hate to tell you this, but words in English can, and frequently do have more than one meaning; and there usually isn't just one you can point to and say "this is the correct meaning." In this particular case, the 1913 public domain version of Webster's that is widely distributed on the Internet includes the infringement definition for "pirate", so that use is at least a century old, making it more legit than, say, the term "sky pirate".

      If you want to

      • the 1913 public domain version of Webster's that is widely distributed on the Internet includes the infringement definition for "pirate"

        Wow, you are right! You can even look back further than that [uchicago.edu] and see that even the 1828 version contained "To take by theft or without right or permission, as books or writings".

        I have never understood why the term generates such a massive response here. All language is fluid. Even if the definition wasn't in these old dictionaries, it is in the modern ones because that is the term that people use for the act. Just live with it, I say.

  • by xluap (652530) on Saturday December 04, 2010 @04:34PM (#34445782)

    Would blocking unusual portnumbers in the firewall be a solution?

    • by ledow (319597)

      Er, yeah - any decent hosting setup should have all unused ports firewalled off, hopefully on a separate device.

      Again, poor configuration is the target, not any weakness in the actual technology.

    • by Anonymous Coward

      A solution would be an admin who friggin sets permissions on their apache config and checks the logs.

    • Taking security seriously would be the solution.

      The chances are the intruders have root privileges (since they can re-configure Apache). So they can unblock any ports as easily.

      So if admins don't watch their servers, they won't even know that something's wrong.

      • by Phroggy (441)

        Having root privileges on the web server isn't the same as having access to configure the firewall, assuming the firewall is a separate device and you're not simply relying on a software firewall on the web server itself. But yeah, if they can reconfigure Apache, you're already in trouble.

      • by DavidTC (10147)

        Technically, apache's config file permissions could be set so the apache user could reconfigure them without root privs, so the attacker might not have root...to start with.

        Of course, if they can reconfigure apache as a normal user, they can configure it to, tada, run as root, which neatly solves the whole 'not having root' problem.

        I'm a little amazed that attackers are reconfiguring apache instead of coming up with some rootkity http server of their own.

        • Re:Firewall (Score:4, Interesting)

          by La Gris (531858) <lea.grisNO@SPAMnoiraude.net> on Sunday December 05, 2010 @02:52AM (#34449090) Homepage

          No need to access or change the normal Apache config.

          Usually they just spawn a new apache process as the hacked user with something like apache2 -d /tmp/haxorsite -c "listen 13675" ...

          Suffice to gain user shell access and inject some content te serve.

          Thats why any decent hosting provider uses some front end servers, eventually with mod_security, so the back-end cluster has very restricted network setup only able to talk to the front servers.

          • by TheLink (130905)

            Thats why any decent hosting provider uses some front end servers, eventually with mod_security, so the back-end cluster has very restricted network setup only able to talk to the front servers.

            Or maybe they should use IIS7 instead of Apache, more secure :).

          • Interesting point.

            Still makes no excuse why admins leave open ports and don't notice malicious activity on their servers for months

          • by DavidTC (10147)

            Usually they just spawn a new apache process as the hacked user with something like apache2 -d /tmp/haxorsite -c "listen 13675" ...

            Well that's just stupid not to notice. I thought we were talking about something in the apache config, where you'd have to notice either the port being open or config files.

            That's not really anything to do with apache at all. They could run netcat from a shell script or something with that.

            Thats why any decent hosting provider uses some front end servers, eventually with mo

  • by Animats (122034) on Saturday December 04, 2010 @05:10PM (#34445944) Homepage

    Here's a typical break-in, at University of Oakland. [oakland.edu]. This has a good search position in Google for "64 bit Windows". This leads to a software-for-sale page with phony seals of approval from Microsoft, Verisign, etc. That's hosted at Starnet, in Moldovia. The payment site for the sales site is "payment8ltd.net", also hosted on Starnet in Moldovia. They're selling pirated copies of brand-name software at roughly half retail price.

    That site has a TrustWave seal, which pops up a popup for Paym8, a real payment processor in Zaire. TrustWave's seal server doesn't check the referrer when displaying a seal popup, so it can be spoofed. [trustwave.com] Nor does the TrustWave seal even give the domains to which it applies. Verisign and BBBonline check this, but not TrustWave.

    It looks like the actual payment processing occurs at "https://payment8ltd.net/shop/order/process/"; that's where the order goes on "Submit". The site has one of those worthless GoDaddy "Domain control only validated" SSL certs.

    Starnet presents itself as an Internet and telecom service provider, offering the usual data, voice, colocation, and hosting. Headquarters of Starnet seems to be at Vlaicu Parcalab, 63, Chisinau, Republic of Moldova. That's a property of Flexi Offices [flexioffices.com], one of those small-office rental places. Interestingly, Microsoft also has an office in that building.

    There's actual Whois information for that site:

    Registrant Contact: Viktor Menshikov
    Viktor Menshikov (loyal@yourisp.ru)
    ul.V.Urdasha d.36 kv.1
    Rakovo, Respublika Tatarstan, RU 422455
    P: +7.8435122221 F: +7.8435122221

    That location exists; it's a farm town about 500Km east of Moscow. Probably not a real address.

    Searching for "yourisp.ru" brings up a large number of scam reports. The domain itself is registered but not in DNS.

    Most of this recent batch of attacks seem to have similar underlying information.

    • by QuoteMstr (55051)

      This is exactly the crap that Microsoft's genuine advantage is designed to stop. Small-scale personal piracy is one thing, but I fully support efforts to squash unctuous commercial enterprises like this one.

      • by tokul (682258)

        This is exactly the crap that Microsoft's genuine advantage is designed to stop.

        Go easier on stuff you are smoking. f..king WGA is designed to spy on end users and to increase profits.

    • The Whois information is forged. They just use a database of stolen contact details and use them to register domain names.

      Note how registration times of their many domains differ only by seconds.

  • Any box on the internet that doesn't have all ports except 80, 443 (if needed) and an ssh port firewalled is nuts.
    • by DavidTC (10147)

      Pssst. Email.

      Yes, you're right, but if someone can change web server config files, they're root. (Or will soon be.)

      So any firewall on the machine is easy to disable.

      Granted, you could use an external firewall, but at this point you're boarding up windows so that the assassins who are wandering in and out of your house can only shoot out the doorway to kill people. That is not an actual solution to the actual problem you have, which is 'there are assassins wandering around inside your house trying to kil

      • "So any firewall on the machine is easy to disable." So don't have your firewall on the same device "Granted, you could use an external firewall" Security 101. "That is not an actual solution" Yes it is.
        • by DavidTC (10147)

          No, having an external firewall is not a solution to the problem that attackers are running programs as root on your server.(1)

          Neither is stopping them from doing one particular thing, like opening another port.

          1) As someone else mentioned, they might not be running as root, just launching apache with a new config file...at which point iptables would work fine stopping them from opening additional ports.

  • If the page-rank algorithm is currently automatically counting different web servers at the same address but on a different port as the same site, stop that.

    • Why should people like myself, who have a legitimate reason for services on different ports, be punished because others lack the skills to properly secure their networks? Are you suggesting that I should have to proxy all of my services through apache even when their is no benefit to doing so? This isn't a problem that will be fixed from the top down I'm afraid.
      • by mattdm (1931)

        Why should people like myself, who have a legitimate reason for services on different ports, be punished because others lack the skills to properly secure their networks? Are you suggesting that I should have to proxy all of my services through apache even when their is no benefit to doing so? This isn't a problem that will be fixed from the top down I'm afraid.

        You're misunderstanding. Alternate ports shouldn't be inherently penalized. They just shouldn't get a pagerank bump by being on the same hostname as something else. If your content is legit, there really shouldn't be any worry.

        • by DavidTC (10147)

          They just shouldn't get a pagerank bump by being on the same hostname as something else.

          Why not? If google thinks that's a useful way to treat pages, that's fine.

          If this is 'fixed', attacks will just go back to hosting files in hidden directories. The 'alternate ports' aspect of this isn't the problem, it's the fact that people don't locate malicious files they are hosting.

    • by cdrguru (88047)

      Why would Google do anything about this? Are the sites involved using Google Ad Words? Sure they are. Google is supporting this.

  • I host sites on a reseller account. What's a good way to check up on this and make sure my hosted sites are OK? I'm not going to go check every link in every site and compare that to every file on the servers for each site. There has to be an easier way.

    • FTP down the entire contents of your site, and see if anything seems wrong. Directories you don't remember with frame pages, stuff like that.

      If you have a CMS like Joomla or Drupal, download a clean copy of the same version, extract it somewhere, and run something like WinMerge on the entire two directories. See what's different...should only be stuff you've installed, like themes and components, unless you've done some manual hacking.

      Likewise, if it's just 'your site', if you're the only editor, and you upload it using FTP...download it to a different directory, and run WinMerge to compare. They obviously should be identical.

      Downloading via FTP will also run a virus scan on it if you have real-time scanning, although feel free to also do that manually.

      Incidentally, that won't do anything for this problem. If they've hacked your hoster to put extra web sites up on your domain on other ports, it's unlikely you'll be able to notice this, and they certainly won't be in your directories. But doing that requires root access, and this article is idiotic...if attackers have root on your server, the fact they can add extra http servers is the least of your problems.

      Checking all the files helps for the more common attack of them putting up a directory on your site, and sticking malicious stuff in there, or including javascript files that pull in malicious stuff from elsewhere.

      Also, checking every link won't help.You don't have to have a link to that stuff for it to get into Google.

Riches: A gift from Heaven signifying, "This is my beloved son, in whom I am well pleased." -- John D. Rockefeller, (slander by Ambrose Bierce)

Working...