Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Doorways Sneak To Non-Default Ports of Hacked Servers

timothy posted more than 3 years ago | from the buncha-jerkfaces dept.

Security 63

UnmaskParasites writes "To drive traffic to their online stores, software pirates hack reputable legitimate websites injecting hidden spammy links and creating doorway pages. Google's search results are seriously poisoned by such doorways. Negligence of webmasters of compromised sites makes this scheme viable — doorways remain unnoticed for years. Not so long ago, hackers began to re-configure Apache on compromised servers to make them serve doorway pages off of non-default ports, still taking advantage of using established domain names."

cancel ×

63 comments

Sorry! There are no comments related to the filter you selected.

What the fuck is a doorway? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#34445558)

Would it have cost you more than a few words to tell us?

And I won't even get into timothy's laziness. How much effort does it take to write "buncha jerkfaces" and hit "accept"? If he were an actual editor, he'd probably tweak the article. But no, he's a lazy ass.

Re:What the fuck is a doorway? (-1)

Anonymous Coward | more than 3 years ago | (#34445582)

If we're listing complaints here, then let me log mine:

software pirates hack reputable legitimate websites

I don't even know where to begin with how wrong this quote is.

Re:What the fuck is a doorway? (1)

soloport (312487) | more than 3 years ago | (#34445794)

When they say, "software pirates hack reputable legitimate websites" it means the number of web sites that have fallen victim is: two

Oh, and in between those two are The Doors...

Re:What the fuck is a doorway? (2, Informative)

Anonymous Coward | more than 3 years ago | (#34445606)

Maybe it has something to do with the submitter's name being "UnmaskParasites" and the URL of the article being http://blog.unmaskparasites.com/2010/12/03/doorways-on-non-default-ports-new-trend-in-black-hat-seo/.

If the author of the article did indeed just submit it here in some petty attempt to get traffic, he or she probably wouldn't have known what was unclear with the article.

Had some neutral party submitted this, this submitter may have had to also look up these non-standard terms, and may have had the sense to include the definitions in the summary.

Re:What the fuck is a doorway? (2)

billcopc (196330) | more than 3 years ago | (#34445688)

Or maybe the submitted hacked into an Apache server, put up this navel-gazing article and submitted via a non-default port to Timothy's queue.

o_O

Or maybe Slashdot is turning into a keyword spam infested link dump, like Digg and Reddit and the rest of the goddamned web. I miss the days when we featured cool nerdy projects, and Ask Slashdot required an IQ of at least 120 to even understand the question. This place has gone to the dogs.

Re:What the fuck is a doorway? (1)

Bill Dog (726542) | more than 3 years ago | (#34445826)

This place has indeed gone to the dogs, but revealing modern hacker techniques one should watch out for is part of the reason I keep coming here. I just don't know how I'm going to tell my folks and other non-techie associates that there's something called port numbers that they should also find some way to add to what they try to pay attention to.

Re:What the fuck is a doorway? (0)

Anonymous Coward | more than 3 years ago | (#34446502)

Ideally you should stick your web servers in a DMZ and only open the ports in/out through the firewall that you specifically need. It's not the be all/end all, but it's an additional layer of security and would help mitigate against this particular attack.

Re:What the fuck is a doorway? (2)

DavidTC (10147) | more than 3 years ago | (#34447534)

Uh, no, ideally you shouldn't allow the web server to rewrite its own config.

If it can do that, it's either already running as root, or, duh, its config files can be rewritten so it, from then on, runs as root. Which means the attacker is now running as root either way.

Frankly, half the time it'd be easier to detect extra ports than extra files. A lot of people have either gui interfaces to their http config, at which point an extra server on a weird port showing up would be noticeable, or have a script that writes the config files from a database, in which case an extra server might be erased (Depends on where it was added, though.)

Hell, you'd probably notice it from netstat at some point.

Whereas malicious files hidden in a web site tend to be hidden in a .whatever directory and some obscure CMS include/ file patched to include them, which no one will ever notice.

But stopping 'extra ports' actually does fuck-all for security anyway...it hardly matters if attackers are running malicious web sites out of extra http locations they've set up, or the pre-existing web server...the security implication of that is exactly the same.

The security implications of attackers rewriting http config files, OTOH, are through the roof. If you want to rewrite the http config from web pages, either use something like Webmin, which is designed for it and allows you to run your actual websites as a unprived user, or use a page that rewrites a database, and have a root-owned and root-running script that looks for updates to that database and rewrites everything. Do not, I repeat, do not, make /etc/httpd/domains.d/ owned by apache. (Or whatever the path and user for your web server.)

Like I said, it's trivially easy for an attacker with just web-server permissions to figure out that location and write a file that gives the web server root access, and next time it gets restarted...hey, look, their malicious scripts have root access also.

Re:What the fuck is a doorway? (1)

eyrieowl (881195) | more than 3 years ago | (#34451166)

Are you responding to the same comment I see? Where does "running in a dmz" == "running as root"? Your points about it being bad for web servers to rewrite their own config are fine and dandy...but I'm hard pressed to see how they have anything to do with a dmz....

Re:What the fuck is a doorway? (1)

DavidTC (10147) | more than 3 years ago | (#34451348)

Yes, I am responding to you.

You seem to think the way to stop this problem is to stop one single way that a hijacker of a web server is using to attack other people.

They still have other ways to attack people. (Like rewriting the actual files of the site.) And, more importantly, they're still in control of a server!

Like I said somewhere else, this article is 'Assassins who break into people's houses are now shooting people out the window, instead of just the door', which is a moderately useful thing to know, especially when that means they can look like they're coming from another, actually secured, location in the building.

But it has inexplicably which has lead to a discussion about boarding up windows.

While that is a fine thing to do, it is, I must submit, is not the actual problem, nor is it the actual solution.

The problem is that there are assassins in people's houses.

Re:What the fuck is a doorway? (-1)

Anonymous Coward | more than 3 years ago | (#34445866)

.....and Ask Slashdot required an IQ of at least 120 to even understand the question. This place has gone to the dogs.

But....you're still here. Any comment?

Re:What the fuck is a doorway? (0)

Planesdragon (210349) | more than 3 years ago | (#34447560)

...and Ask Slashdot required an IQ of at least 120 to even understand the question.

Can you point to even ONE study that links IQ and nerdiness / geekiness? Unapplied Intelligence is fungible, and any community that adopts memes like "hot grits!" or "first post!", while clearly nerdy, does not seem to be demarcated by any substantial intellect requirement.

(Oh, and the English language is organic instead of prescribed. "Ain't" is a word, "ATM Machine" isn't really a tautology, and "hacker" means someone who engages in "hacking", or the illegal access of computer systems through use of technical knowledge.)

Re:What the fuck is a doorway? (1, Insightful)

Gordonjcp (186804) | more than 3 years ago | (#34445904)

Also, you'd think that timothy could lay off the huffing paint fumes and eating crayons for a moment, and maybe avoid using the word "hackers" in the pejorative sense on a site where many view themselves as hackers in the real sense. But no, he manages to embarrass himself once again.

Go and get yourself cleaned up, timothy, and try again.

Re:What the fuck is a doorway? (1, Flamebait)

mjwalshe (1680392) | more than 3 years ago | (#34445926)

Finished throwing ones teddy out of the pram have we? Language changes over time and has dual meanings deal with it!

Welcome to Slashdot; now go home (1)

Zero__Kelvin (151819) | more than 3 years ago | (#34447368)

Language only makes sense in a context. In case it escaped you, this is Slashdot, and in this context hackers and crackers are two different things. It is one thing to acknowledge that much of the world is ignorant of the difference. It is another entirely to feed into that ignorance here. If you knew about why people mistakenly call crackers hackers, then you would understand why it is a sensitive issue. IIRC, Steven Levy misunderstood the term when it was used to describe the Robert T. Morris Internet Worm, and used it incorrectly in a New York Times article. The rest is history. To this day it is a common error to use your when the contraction you're is correct. The fact that the mistake is made on a regular basis by people all over the Internet doesn't make it suddenly correct. Likewise, using the word hacker to describe a cracker will never be correct usage, no matter how many people make the error.

See also In popular usage and in the media, computer intruders or criminals is the exclusive meaning today, with associated pejorative connotations. (For example, "An Internet 'hacker' broke through state government security systems in March.") In the computing community, the primary meaning is a complimentary description for a particularly brilliant programmer or technical expert [wikipedia.org] . - [emphasis added]

aw diddums did i hurt your feelings (1)

mjwalshe (1680392) | more than 3 years ago | (#34449968)

This is Slashdot so what? I suspected that some sub would rise to the bait I think I have more chops than you to decide what the current usage of hacker is.
  • I was involved in the online scene in the 80s been involved professionally in the online biz since the early 80's.
  • I was at one point thirdline for the uks x.400 mail system
  • I once got asked by my employer to respond to alt.2600 (but bt security thought it unwise)
  • My handle is namecheck'd in a book fictionalizing the early uk online scene written by a Booker shortlist'ed author.

What exactly have you done? Are you suggesting that we ought to have an academie francaise that rules on correct usage of technical terms? OK that would be IBM and we would be calling mother boards planars; fans AMDs and hard disks as DASD.

Get over it the terms usage has changed.

Ps and “hacker” is also used to indicate a poor golfer which usage predates any technical usage

Re:aw diddums did i hurt your feelings (0)

Anonymous Coward | more than 3 years ago | (#34450000)

"I suspected that some sub would rise to the bait"

Pay attention mods!

Re:aw diddums did i hurt your feelings (1)

Gordonjcp (186804) | more than 3 years ago | (#34488732)

I was at one point thirdline for the uks x.400 mail system

It's quite possible I used to be your boss.

Re:Welcome to Slashdot; now go home (1)

metrix007 (200091) | more than 3 years ago | (#34450806)

I love people who still try to claim that the word hacking is not intrinsically linked to security. To claim the common usage of the word is an error, and all those dictionaries and reporters and millions of people are WRONG WRONG WRONG!

Did you know that the word starve used to mean dying specifically from cold? That's what the word means truly, and everyone else is just using it wrong. The next time you see people who look like they could use a meal and say they are starving, just offer them a sweater. I mean, if they were hungry they would have used the correct word, right?

metrix007 the noob RAN like the troll he is (0)

Anonymous Coward | more than 3 years ago | (#34452450)

http://yro.slashdot.org/comments.pl?sid=1888084&cid=34378092 [slashdot.org] You're the troll that ran when he was confronted on his trolling there in that URL I just put up, because you weren't able to dispute and disprove what was posted and you were asked to. You talk a big game metrix007, but you can't even show anyone here that you've done more than those you called "ignorant and misinformed" in that URL above. You're a noob, and we all know it, just based on that URL above as well as your repeated insults (obvious or attempted subtle ones) and name calling of others that is shown in your posting history here this week alone, like this one also. Grow up, do something with your life, before you try to play "expert" with anyone here or elsewhere that have (which is what you tried above, and you ran, lol!). Your nitpicking now? Completely irrelevant (though crack/cracking/cracker would be better to use than hack/hacking/hacker, we know what was implied/meant anyhow - no need for your trollish english grammar technique, which gives you away as being on your "last leg" and until you can show us your PHD in English? You're FAR from an expert on that too...)

Re:metrix007 the noob RAN like the troll he is (1)

metrix007 (200091) | more than 3 years ago | (#34453184)

Wow APK, you sure take stuff personally.

Logan's Run? No, metrix007's run! (0)

Anonymous Coward | more than 3 years ago | (#34458228)

Run, runner... http://yro.slashdot.org/comments.pl?sid=1888084&cid=34378092 and keep showing the rest of us how much of a cowardly little troll you really are.

Re:metrix007 the noob RAN like the troll he is (0)

Anonymous Coward | more than 3 years ago | (#34458402)

maybe you shouldn't troll others then metrix007.

Are we finally using the term "pirates" correctly? (2)

mykos (1627575) | more than 3 years ago | (#34445588)

This seems more like they're boarding ships than infringing on copyright.

Re:Are we finally using the term "pirates" correct (-1)

Anonymous Coward | more than 3 years ago | (#34445620)

Piracy is well established as to mean copyright infringement. I don't think we should confuse the issue by labeling much worse things (i.e. these hacker peoples) as piracy

Re:Are we finally using the term "pirates" correct (4, Funny)

adolf (21054) | more than 3 years ago | (#34445774)

Piracy is well established as to mean copyright infringement. I don't think we should confuse the issue by labeling much worse things (i.e. these hacker peoples) as piracy

Ob-1999: I think you misspelt "cracker [slashdot.org] ."

Re:Are we finally using the term "pirates" correct (1)

Anonymous Coward | more than 3 years ago | (#34446386)

Racist!

Re:Are we finally using the term "pirates" correct (1)

StealthSock (634668) | more than 3 years ago | (#34446508)

First sentence in TFA: "A year ago I blogged about how hackers managed to hijack hundreds of high-profile websites to make them promote online stores that sold pirated software at about 5-10% of a real cost." When they say pirates, they are referring to the fact that these web sites were built to sell pirated software. Even a profession that was not in the tech black market category would have fit in the summary. For example "To drive traffic to their web sites full of illegal and potentially poisonous recipes, rogue chefs hack reputable legitimate websites injecting hidden spammy links and creating doorway pages."

Re:Are we finally using the term "pirates" correct (1)

Xtifr (1323) | more than 3 years ago | (#34445950)

Are we finally using the term "pirates" correctly?

Correctly? You think there's a "the" correct usage? I hate to tell you this, but words in English can, and frequently do have more than one meaning; and there usually isn't just one you can point to and say "this is the correct meaning." In this particular case, the 1913 public domain version of Webster's that is widely distributed on the Internet includes the infringement definition for "pirate", so that use is at least a century old, making it more legit than, say, the term "sky pirate".

If you want to argue that using the term for infringement is inappropriate and should be abandoned, I'm with ya, but to claim it's incorrect just makes you look silly.

That said, I'm not sure the term "pirate" applies here no matter which meaning of the word you choose. But yes, it does seem closer to the nautical definition, if anything. :)

Re:Are we finally using the term "pirates" correct (1)

Gadget_Guy (627405) | more than 3 years ago | (#34447926)

the 1913 public domain version of Webster's that is widely distributed on the Internet includes the infringement definition for "pirate"

Wow, you are right! You can even look back further than that [uchicago.edu] and see that even the 1828 version contained "To take by theft or without right or permission, as books or writings".

I have never understood why the term generates such a massive response here. All language is fluid. Even if the definition wasn't in these old dictionaries, it is in the modern ones because that is the term that people use for the act. Just live with it, I say.

Re:Are we finally using the term "pirates" correct (0)

Anonymous Coward | more than 3 years ago | (#34449490)

I have never understood why the term generates such a massive response here.

Because people don't like that what they're doing got a word with negative tone for it. If it was "Liberators" instead of "Pirates", they wouldn't complain.

Re:Are we finally using the term "pirates" correct (1)

Gadget_Guy (627405) | more than 3 years ago | (#34450304)

The word "liberators" assumes that what is being liberated wants to escape. Whether you are copying games, music, films or books, none of these things actually desires to be liberated. Instead, the pirate wants to use the product without paying for it, so they just take it. It is a completely selfish act, and a label with a negative tone is quite apt.

I'm not going to go all Marge Simpson here and say "don't do that". All I ask is that the pirates don't try and sugar coat what they do as something noble.

Firewall (3)

xluap (652530) | more than 3 years ago | (#34445782)

Would blocking unusual portnumbers in the firewall be a solution?

Re:Firewall (2)

ledow (319597) | more than 3 years ago | (#34445806)

Er, yeah - any decent hosting setup should have all unused ports firewalled off, hopefully on a separate device.

Again, poor configuration is the target, not any weakness in the actual technology.

Re:Firewall (1)

Anonymous Coward | more than 3 years ago | (#34445858)

A solution would be an admin who friggin sets permissions on their apache config and checks the logs.

Re:Firewall (0)

Anonymous Coward | more than 3 years ago | (#34473432)

Wouldn't really matter. You don't need apache to listen on a network port and serve a redirect page. I could write one in 10 lines of C.

You need firewall rules and to make sure you don't have vulnerabilities on your website. Simple stuff.

Re:Firewall (1)

UnmaskParasites (1597151) | more than 3 years ago | (#34446192)

Taking security seriously would be the solution.

The chances are the intruders have root privileges (since they can re-configure Apache). So they can unblock any ports as easily.

So if admins don't watch their servers, they won't even know that something's wrong.

Re:Firewall (1)

Phroggy (441) | more than 3 years ago | (#34446364)

Having root privileges on the web server isn't the same as having access to configure the firewall, assuming the firewall is a separate device and you're not simply relying on a software firewall on the web server itself. But yeah, if they can reconfigure Apache, you're already in trouble.

Re:Firewall (2)

DavidTC (10147) | more than 3 years ago | (#34447582)

Technically, apache's config file permissions could be set so the apache user could reconfigure them without root privs, so the attacker might not have root...to start with.

Of course, if they can reconfigure apache as a normal user, they can configure it to, tada, run as root, which neatly solves the whole 'not having root' problem.

I'm a little amazed that attackers are reconfiguring apache instead of coming up with some rootkity http server of their own.

Re:Firewall (3, Interesting)

La Gris (531858) | more than 3 years ago | (#34449090)

No need to access or change the normal Apache config.

Usually they just spawn a new apache process as the hacked user with something like apache2 -d /tmp/haxorsite -c "listen 13675" ...

Suffice to gain user shell access and inject some content te serve.

Thats why any decent hosting provider uses some front end servers, eventually with mod_security, so the back-end cluster has very restricted network setup only able to talk to the front servers.

Re:Firewall (1)

TheLink (130905) | more than 3 years ago | (#34449648)

Thats why any decent hosting provider uses some front end servers, eventually with mod_security, so the back-end cluster has very restricted network setup only able to talk to the front servers.

Or maybe they should use IIS7 instead of Apache, more secure :).

Re:Firewall (1)

UnmaskParasites (1597151) | more than 3 years ago | (#34450592)

Interesting point.

Still makes no excuse why admins leave open ports and don't notice malicious activity on their servers for months

Re:Firewall (1)

DavidTC (10147) | more than 3 years ago | (#34451258)

Usually they just spawn a new apache process as the hacked user with something like apache2 -d /tmp/haxorsite -c "listen 13675" ...

Well that's just stupid not to notice. I thought we were talking about something in the apache config, where you'd have to notice either the port being open or config files.

That's not really anything to do with apache at all. They could run netcat from a shell script or something with that.

Thats why any decent hosting provider uses some front end servers, eventually with mod_security, so the back-end cluster has very restricted network setup only able to talk to the front servers.

And, again, I must point out that I find this incomprehensible and serving no purpose. If that's really the issue, and they aren't priv'd users, just use iptables to stop extra ports.

Or, even better use selinux to stop children of php-fpm or whatever from opening additional ports.

VERSACE (-1)

Anonymous Coward | more than 3 years ago | (#34445854)

Check out the new Versace V9 luxury mobile phone, featuring metallic housing with Swarowski crystal stone, shake control, turn-to-mute, blacklist functions and 2000 mAh battery. Available in gold or silver for only EUR 135 on www.versace-v9.eu

Re:VERSACE (-1)

Anonymous Coward | more than 3 years ago | (#34445958)

Also available for sale at "http://www.amazon.com:666/".

Here's an example break-in. (5, Informative)

Animats (122034) | more than 3 years ago | (#34445944)

Here's a typical break-in, at University of Oakland. [oakland.edu] . This has a good search position in Google for "64 bit Windows". This leads to a software-for-sale page with phony seals of approval from Microsoft, Verisign, etc. That's hosted at Starnet, in Moldovia. The payment site for the sales site is "payment8ltd.net", also hosted on Starnet in Moldovia. They're selling pirated copies of brand-name software at roughly half retail price.

That site has a TrustWave seal, which pops up a popup for Paym8, a real payment processor in Zaire. TrustWave's seal server doesn't check the referrer when displaying a seal popup, so it can be spoofed. [trustwave.com] Nor does the TrustWave seal even give the domains to which it applies. Verisign and BBBonline check this, but not TrustWave.

It looks like the actual payment processing occurs at "https://payment8ltd.net/shop/order/process/"; that's where the order goes on "Submit". The site has one of those worthless GoDaddy "Domain control only validated" SSL certs.

Starnet presents itself as an Internet and telecom service provider, offering the usual data, voice, colocation, and hosting. Headquarters of Starnet seems to be at Vlaicu Parcalab, 63, Chisinau, Republic of Moldova. That's a property of Flexi Offices [flexioffices.com] , one of those small-office rental places. Interestingly, Microsoft also has an office in that building.

There's actual Whois information for that site:

Registrant Contact: Viktor Menshikov
Viktor Menshikov (loyal@yourisp.ru)
ul.V.Urdasha d.36 kv.1
Rakovo, Respublika Tatarstan, RU 422455
P: +7.8435122221 F: +7.8435122221

That location exists; it's a farm town about 500Km east of Moscow. Probably not a real address.

Searching for "yourisp.ru" brings up a large number of scam reports. The domain itself is registered but not in DNS.

Most of this recent batch of attacks seem to have similar underlying information.

Re:Here's an example break-in. (2)

QuoteMstr (55051) | more than 3 years ago | (#34446062)

This is exactly the crap that Microsoft's genuine advantage is designed to stop. Small-scale personal piracy is one thing, but I fully support efforts to squash unctuous commercial enterprises like this one.

Re:Here's an example break-in. (1)

tokul (682258) | more than 3 years ago | (#34449628)

This is exactly the crap that Microsoft's genuine advantage is designed to stop.

Go easier on stuff you are smoking. f..king WGA is designed to spy on end users and to increase profits.

Re:Here's an example break-in. (1)

UnmaskParasites (1597151) | more than 3 years ago | (#34446148)

The Whois information is forged. They just use a database of stolen contact details and use them to register domain names.

Note how registration times of their many domains differ only by seconds.

Re:Here's an example break-in. (0)

Anonymous Coward | more than 3 years ago | (#34446314)

The site has one of those worthless GoDaddy "Domain control only validated" SSL certs.

It isn't worthless. It ensures that only the correct scum sees your payment info.

Re:Here's an example break-in. (0)

Anonymous Coward | more than 3 years ago | (#34447014)

Since that service still seems to be available, can we take it that nobody has bothered to inform the Oakland server admin?

Thanks for the info.: Why? See inside... apk (0)

Anonymous Coward | more than 3 years ago | (#34458500)

Thanks for supplying the bogus domains information. I checked on yourisp.ru, and sure enough - a known bogus malware domain/host name. It's blocked out here now, alongside payment8ltd.net, & how? Here is HOW & WHY:

15++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:

1.) Adblock blocks ads in only 1 browser family (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

2.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html [networkworld.com] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via PINGS &/or WHOIS though, regularly, so you have the correct IP & it's current)).

6.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

7.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://ddanchev.blogspot.com/ [blogspot.com]
http://www.malware.com.br/lists.shtml [malware.com.br]
http://www.stopbadware.org/ [stopbadware.org]
http://blog.fireeye.com/ [fireeye.com]
http://mtc.sri.com/ [sri.com]
http://news.netcraft.com/ [netcraft.com]
http://www.shadowserver.org/ [shadowserver.org]

REGULARLY UPDATED HOSTS FILES SITES (reputable/reliable sources):

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
http://hosts-file.net/?s=Download [hosts-file.net]
https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

8.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs.

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) You don't have the sourcecode to Adblock. With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in).

15.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

* MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - mvps.org covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem (mvps.org offers 2 types for this).

D.) HOSTS files, once read/loaded, once GET CACHED, for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcache (like ANY file is), so it reads F A S T upon re-reads/subsequent reads (until it's changed in %WinDir%\system32\drivers\etc on Windows, which marks it "Dirty" & then it gets re-read + reloaded into the local diskcache again). This may cause a SMALL lag upon reload though, depending on the size of your HOSTS file.

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"...

APK

P.S.=> Some more notes on DNS servers & their problems, very recent + ongoing ones:

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even GOOGLE DNS, & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)

---

Then, there is also the words of respected security expert, Mr. Oliver Day, from SECUNIA.COM to "top that all off" as well:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491 [securityfocus.com]

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, from my initial & subsequent posts here in this very exchange no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly!

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also)... apk

Not a lot of sympathy (1)

s7uar7 (746699) | more than 3 years ago | (#34446016)

Any box on the internet that doesn't have all ports except 80, 443 (if needed) and an ssh port firewalled is nuts.

Re:Not a lot of sympathy (1)

DavidTC (10147) | more than 3 years ago | (#34447620)

Pssst. Email.

Yes, you're right, but if someone can change web server config files, they're root. (Or will soon be.)

So any firewall on the machine is easy to disable.

Granted, you could use an external firewall, but at this point you're boarding up windows so that the assassins who are wandering in and out of your house can only shoot out the doorway to kill people. That is not an actual solution to the actual problem you have, which is 'there are assassins wandering around inside your house trying to kill people'.

Re:Not a lot of sympathy (1)

hairyfish (1653411) | more than 3 years ago | (#34448400)

"So any firewall on the machine is easy to disable." So don't have your firewall on the same device "Granted, you could use an external firewall" Security 101. "That is not an actual solution" Yes it is.

Re:Not a lot of sympathy (1)

DavidTC (10147) | more than 3 years ago | (#34451270)

No, having an external firewall is not a solution to the problem that attackers are running programs as root on your server.(1)

Neither is stopping them from doing one particular thing, like opening another port.

1) As someone else mentioned, they might not be running as root, just launching apache with a new config file...at which point iptables would work fine stopping them from opening additional ports.

This seems easy to fix on the Google side (1)

mattdm (1931) | more than 3 years ago | (#34446114)

If the page-rank algorithm is currently automatically counting different web servers at the same address but on a different port as the same site, stop that.

Re:This seems easy to fix on the Google side (1)

dr. chuck bunsen (762090) | more than 3 years ago | (#34446458)

Why should people like myself, who have a legitimate reason for services on different ports, be punished because others lack the skills to properly secure their networks? Are you suggesting that I should have to proxy all of my services through apache even when their is no benefit to doing so? This isn't a problem that will be fixed from the top down I'm afraid.

Re:This seems easy to fix on the Google side (1)

mattdm (1931) | more than 3 years ago | (#34447078)

Why should people like myself, who have a legitimate reason for services on different ports, be punished because others lack the skills to properly secure their networks? Are you suggesting that I should have to proxy all of my services through apache even when their is no benefit to doing so? This isn't a problem that will be fixed from the top down I'm afraid.

You're misunderstanding. Alternate ports shouldn't be inherently penalized. They just shouldn't get a pagerank bump by being on the same hostname as something else. If your content is legit, there really shouldn't be any worry.

Re:This seems easy to fix on the Google side (1)

DavidTC (10147) | more than 3 years ago | (#34447660)

They just shouldn't get a pagerank bump by being on the same hostname as something else.

Why not? If google thinks that's a useful way to treat pages, that's fine.

If this is 'fixed', attacks will just go back to hosting files in hidden directories. The 'alternate ports' aspect of this isn't the problem, it's the fact that people don't locate malicious files they are hosting.

Re:This seems easy to fix on the Google side (1)

cdrguru (88047) | more than 3 years ago | (#34447442)

Why would Google do anything about this? Are the sites involved using Google Ad Words? Sure they are. Google is supporting this.

How do I check this on a hosted server? (1)

JustCallMeRich (1185429) | more than 3 years ago | (#34446544)

I host sites on a reseller account. What's a good way to check up on this and make sure my hosted sites are OK? I'm not going to go check every link in every site and compare that to every file on the servers for each site. There has to be an easier way.

Re:How do I check this on a hosted server? (3, Informative)

DavidTC (10147) | more than 3 years ago | (#34447720)

FTP down the entire contents of your site, and see if anything seems wrong. Directories you don't remember with frame pages, stuff like that.

If you have a CMS like Joomla or Drupal, download a clean copy of the same version, extract it somewhere, and run something like WinMerge on the entire two directories. See what's different...should only be stuff you've installed, like themes and components, unless you've done some manual hacking.

Likewise, if it's just 'your site', if you're the only editor, and you upload it using FTP...download it to a different directory, and run WinMerge to compare. They obviously should be identical.

Downloading via FTP will also run a virus scan on it if you have real-time scanning, although feel free to also do that manually.

Incidentally, that won't do anything for this problem. If they've hacked your hoster to put extra web sites up on your domain on other ports, it's unlikely you'll be able to notice this, and they certainly won't be in your directories. But doing that requires root access, and this article is idiotic...if attackers have root on your server, the fact they can add extra http servers is the least of your problems.

Checking all the files helps for the more common attack of them putting up a directory on your site, and sticking malicious stuff in there, or including javascript files that pull in malicious stuff from elsewhere.

Also, checking every link won't help.You don't have to have a link to that stuff for it to get into Google.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>