Brute Force Attack cPanel

Check the logs:

# nano /var/log messages
PAM-hulk[13813]: Brute force detection active: 580 LOGIN DENIED

Check

cphulkd.log at /usr/local/cpanel/logs


# nano /usr/local/cpanel/logs/login_log
72.177.xxx.xx - root [11/04/2014:05:48:13 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP 72.177.xxx.xx

Sandworm Vulnerability Affects All Microsoft Operating Systems

On Tuesday, October 14, 2014, iSIGHT Partners and Microsoft announced a Zero-Day vulnerability named “Sandworm” found in all versions of Microsoft Windows and Windows Server 2008 and 2012.

The vulnerability has been exploited in a small number of cyberespionage attacks against NATO, energy companies, a US academic organization and many others. Microsoft has since created a patch and released it as one of their security updates (CVE-2014-4114.).

If you have enabled automatic updating, the Microsoft security update will be downloaded and installed automatically. If you have not, it is critical that you run the security update from Microsoft, as well as all other important security updates through the Windows Updater immediately.

If you would like to learn more about the Sandworm vulnerability, in-depth information can be found on iSIGHT Partners blog and Microsoft’s Security TechCenter.

Fail2Ban Setup on CentOS 6.6

Because fail2ban is not available from CentOS, we should start by downloading the EPEL repository:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Follow up by installing fail2ban:

yum install fail2ban

The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, however, and we should instead make a local copy of it.


cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

After the file is copied, you can make all of your changes within the new jail.local file. Many of possible services that may need protection are in the file already. Each is located in its own section, configured and turned off.

Set up a few rules on a plesk server with CentOS

SSH

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=10222, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=admin@domain.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5

* Notice ssh is set up on port 10222

ProFTP

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=admin@domain.com]
logpath  = /var/log/secure
maxretry = 5

* Notice the log location. This is for a Plesk server as proftpd logs to /var/log/secure
Restart fail2ban

# service fail2ban restart

Postfix

# This jail forces the backend to "polling".
[sasl-iptables]

enabled  = true
filter   = postfix-sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=admin@domain.com]
logpath  = /usr/local/psa/var/log/maillog

Postfix

[postfix-tcpwrapper]

enabled  = true
filter   = postfix
action   = hostsdeny[file=/etc/fail2ban/hosts.deny]
           sendmail[name=Postfix, dest=admin@domain.com]
logpath  = /usr/local/psa/var/log/maillog
bantime  = 300

Apache Auth

[apache-tcpwrapper]

enabled  = true
filter   = apache-auth
action   = iptables[name=apache, port=apache, protocol=tcp]
           sendmail-whois[name=apache, dest=admin@domain.com]
logpath  = /var/log/httpd/error_log
#           /home/www/myhomepage/error.log
maxretry = 6

Whitelist IP’s in Fail2ban

Whitelisting is setup in the jail.conf file using a space separated list.


[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not                          
# ban a host which matches an address in this list. Several addresses can be                             
# defined using space separator.                                                                        
ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8


# This will ignore connection coming from common private networks.
# Note that local connections can come from other than just 127.0.0.1, so
# this needs CIDR range too.
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

Source: http://www.fail2ban.org/wiki/index.php/Main_Page

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store ortransmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

General requirements for compliance

Firewall
Intrusion Drevention Systems
Intrusion Prevention Systems
Dedicated IP addresses
PCI Cage

SSLv3 Vulnerability (Poodle)

According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.

A vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.

SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today.

Detection (Linux)

The following script can be run against the server in question. The command will return ‘SSL 3.0 enabled’ if vulnerable and ‘SSL 3.0 disabled’ if not.

_______________

#!/bin/bash
ret=$(echo Q | timeout 5 openssl s_client -connect “${1-`hostname`}:${2-443}” -ssl3 2> /dev/null)
if echo “${ret}” | grep -q ‘Protocol.*SSLv3’; then
if echo “${ret}” | grep -q ‘Cipher.*0000’; then
echo “SSL 3.0 disabled”
else
echo “SSL 3.0 enabled”
fi
else
echo “SSL disabled or other error”
fi
_______________

NOTE: This script takes the hostname of the server to check as the first argument and an optional port as the second. By default it will check the local system, port 443.
Resolution

To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, however it is strongly recommended against.

To mitigate this vulnerability as it affects httpd, set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf:

Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.

Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)
SSLProtocol All -SSLv2 -SSLv3

Option 2: Disable everything except TLSv1.x

On RHEL 7 or RHEL 6.6 and later:
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

On other platforms:
SSLProtocol -All +TLSv1

Then restart httpd:

# service httpd restart

Resources:
For Microsoft
https://technet.microsoft.com/en-us/library/security/3009008.aspx

https://www.openssl.org/~bodo/ssl-poodle.pdf
http://forums.cpanel.net/f185/sslv3-vulnerability-432641.html

http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
Tests
Test your web server for SSLv2
https://www.ssllabs.com/ssltest/index.html
What you are looking for is:
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

For Nginx – there are other files to edit:


/usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php
/usr/local/psa/admin/conf/templates/default/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php

Rebuild after any changes

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

Other Resources:

CPanel/WHM
https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

http://www.cpanelkb.net/fix-poodle-sslv3-vulnerability/
http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/
Plesk
http://kb.sp.parallels.com/en/123160

http://www.percona.com/blog/2014/10/15/how-to-close-poodle-sslv3-security-flaw-cve-2014-3566/
http://bobcares.com/blog/protecting-your-cpanel-whm-server-from-sslv3-poodle-vulnerability-guide-to-mitigate-cve-2014-3566-by-disabling-ssl-3-0-in-exim-apache-nginx-pure-ftp-proftpd-dovecot-and-courier-imap

Bash Code Injection Vulnerability (Shellshock)

Products Affected:

Product/Channel Fixed in package Remediation details
Red Hat Enterprise Linux 7 bash-4.2.45-5.el7_0.2 Red Hat Enterprise Linux
Red Hat Enterprise Linux 6 bash-4.1.2-15.el6_5.1 Red Hat Enterprise Linux
bash-4.1.2-15.el6_5.1.sjis.1 Red Hat Enterprise Linux
bash-4.1.2-9.el6_2.1 Red Hat Enterprise Linux 6.2 AUS
bash-4.1.2-15.el6_4.1 Red Hat Enterprise Linux 6.4 EUS
Red Hat Enterprise Linux 5 bash-3.2-33.el5.1 Red Hat Enterprise Linux
bash-3.2-33.el5_11.1.sjis.1 Red Hat Enterprise Linux
bash-3.2-24.el5_6.1 Red Hat Enterprise Linux 5.6 LL
bash-3.2-32.el5_9.2 Red Hat Enterprise Linux 5.9 EUS
Red Hat Enterprise Linux 4 bash-3.0-27.el4.2 Red Hat Enterprise Linux 4 ELS

 

Check the version:

[root@server]# rpm -qa | grep bash
bash-completion-1.3-7.el6.noarch
bash-4.1.2-15.el6_4.x86_64

Diagnostic Steps:

Exploit 1 (CVE-2014-6271)

There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see “vulnerable” you need to update bash. Otherwise, you should be good to go.

Exploit 2 (CVE-2014-7169)

Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.

env X='() { (shellshocker.net)=>' bash -c "echo date"; cat echo ; rm -f echo

If the above command outputs the current date (it may also show errors), you are still vulnerable.

Exploit 3 (???)

Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.

env -i X=' () { }; echo hello' bash -c 'date'

If the above command outputs “hello”, you are vulnerable.

Exploit 4 (CVE-2014-7186)

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"

A vulnerable system will echo the text “CVE-2014-7186 vulnerable, redir_stack”.

Exploit 5 (CVE-2014-7187)

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"

A vulnerable system will echo the text “CVE-2014-7187 vulnerable, word_lineno”.

Run update:

[root@server ~]# yum update bash
Loaded plugins: downloadonly, fastestmirror, priorities
Loading mirror speeds from cached hostfile
epel/metalink                                            |  16 kB     00:00
 * base: mirror.hmc.edu
 * epel: mirrors.solfo.com
 * extras: centos.sonn.com
 * updates: linux.mirrors.es.net
base                                                     | 3.7 kB     00:00
extras                                                   | 3.3 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/primary_db                                       | 5.3 MB     00:00
81 packages excluded due to repository priority protections
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.1.2-15.el6_4 will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch            Version                   Repository        Size
================================================================================
Updating:
 bash          x86_64          4.1.2-15.el6_5.1          updates          905 k

Transaction Summary
================================================================================
Upgrade       1 Package(s)

Total download size: 905 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-15.el6_5.1.x86_64.rpm                         | 905 kB     00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : bash-4.1.2-15.el6_5.1.x86_64                                 1/2
  Cleanup    : bash-4.1.2-15.el6_4.x86_64                                                                                                                                                        2/2
  Verifying  : bash-4.1.2-15.el6_5.1.x86_64                                                                                                                                                      1/2
  Verifying  : bash-4.1.2-15.el6_4.x86_64                                                                                                                                                        2/2

Updated:
  bash.x86_64 0:4.1.2-15.el6_5.1

Complete!

[root@server ~]# rpm -qa | grep bash
bash-4.1.2-15.el6_5.1.x86_64
bash-completion-1.3-7.el6.noarch

Test after update:

[root@server ~]# env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

For Ubuntu Systems:

apt-get update; apt-get install --only-upgrade bash

For Arch Linux:

pacman -Sy bash

A reboot is not required after the update.

Resources:

https://access.redhat.com/articles/1200223

http://www.reuters.com/article/2014/09/24/us-cybersecurity-bash-idUSKCN0HJ2FQ20140924

http://seclists.org/oss-sec/2014/q3/685

http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained

How to Secure SSH with Google Authenticator’s Two-Factor Authentication

Source: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/

Also, for CentOS: http://www.tecmint.com/ssh-two-factor-authentication/

Want to secure your SSH server with easy-to-use two-factor authentication? Google provides the necessary software to integrate Google Authenticator’s time-based one-time password (TOTP) system with your SSH server. You’ll have to enter the code from your phone when you connect.

Root Compromised

Check the server if it is root compromised.

lsattr /usr/bin

Root compromised output. All of those files are set to immutable and append only. That’s what the “ia” you see is.

[root@mail ~]# lsattr /usr/bin
s---ia------- /usr/bin/bzcmp
s---ia------- /usr/bin/getkeycodes
s---ia------- /usr/bin/enc2xs
s---ia------- /usr/bin/mail-files
s---ia------- /usr/bin/chage
s---ia------- /usr/bin/mdeltree
s---ia------- /usr/bin/nslookup
s---ia------- /usr/bin/semodule_link
s---ia------- /usr/bin/mbchk
s---ia------- /usr/bin/rpcgen
s---ia------- /usr/bin/lkbib
s---ia------- /usr/bin/dig
s---ia------- /usr/bin/webazolver
s---ia------- /usr/bin/pstruct
s---ia------- /usr/bin/spfd
s---ia------- /usr/bin/linux64
s---ia------- /usr/bin/semodule_expand
s---ia------- /usr/bin/readlink
s---ia------- /usr/bin/as
s---ia------- /usr/bin/makedb
s---ia------- /usr/bin/seq
s---ia------- /usr/bin/id
s---ia------- /usr/bin/colcrt
s---ia------- /usr/bin/pod2man
s---ia------- /usr/bin/zipnote
s---ia------- /usr/bin/hcitool
s---ia------- /usr/bin/lftp
s---ia------- /usr/bin/run-with-aspell
s---ia------- /usr/bin/[
s---ia------- /usr/bin/perl
s---ia------- /usr/bin/mailstat
s---ia------- /usr/bin/ecryptfs-setup-swap
s---ia------- /usr/bin/lpstat.cups
s---ia------- /usr/bin/linux32
s---ia------- /usr/bin/ipcclean
s---ia------- /usr/bin/pkill
s---ia------- /usr/bin/mzip
s---ia------- /usr/bin/mcookie
s---ia------- /usr/bin/pm-restart
s---ia------- /usr/bin/rcp
s---ia------- /usr/bin/fgconsole

Non root compromised

[root@austin ~]# lsattr /usr/bin
-------------e- /usr/bin/pigz
-------------e- /usr/bin/isosize
-------------e- /usr/bin/php
-------------e- /usr/bin/system-config-firewall
-------------e- /usr/bin/ftpdctl
-------------e- /usr/bin/berkeley_db_svc
-------------e- /usr/bin/wftopfa
-------------e- /usr/bin/yum-builddep
-------------e- /usr/bin/tic
-------------e- /usr/bin/ptardiff

Other checks:

I would check the following:

Logs. If you have root access you should check things like history which will give you command history and log files in /var/logs.

Baseline. If you have a baseline like file hashes to work with for application and system files this will help a lot. You can also use backups to compare a previous state. If using a backup to compare files, use a slightly older one if you can. The site may have been compromised a while before and it is only now that the redirect has been activated.

Check any includes. The files may not be on your server. They may be script includes such as