Posts Tagged Apache
Apache.org: What didn’t work?
Posted by Mourad Ben Lakhoua in Vulnerabilities & attacks, Web Security on September 4, 2009
Further to the web incident of Apache software foundation in which the website has gone offline on Monday, a presentation has been published to clarify the cause of this incident and measures that have been taken. Providing details can help others to learn mistakes and be ready for any attack.
According to the analysis, the main cause of this attack was a vulnerability in the SSH key management. The story started when the server that hosted the apachecon.com (dv35.apachecon.com) website had been compromised which was running CentOS The attackers fully compromised this machine, including gaining root privileges, and destroyed most of the logs, making it difficult for administrators to confirm the details of everything that happened on the machine.
Once the attackers had gained shell access, they added CGI scripts to the document root folders of several Apache Software Foundation websites. A regular, scheduled rsync process copied these scripts to the production web server, eos.apache.org, where they became externally visible. The CGI scripts were used to obtain remote shells, with information sent using HTTP POST commands.
After this attack administrators created a new SSH-key with a minimum key length of at least 4096 bits , enforced the use of the from=”" and command=”" strings in the authorized keys file on the destination backup server and looking for disabling CGI support on most website systems.
Well here you can see the importance of capturing logs and how they are important to spot potential security issue, there is many types for log management for example if you have a big network with a various system you would better focus on a good correlation engine. If a small corporate with a small network infrastructure than its better to focus on the forensic capabilities so you can track down violations and recover your losses in a court of law. It’s up to you now to decide on what will be the focus.
make sure you subscribe to my RSS feed!
Apache Website Owned!
Posted by Mourad Ben Lakhoua in Cybercrime, News, Web Security on August 31, 2009
Apache Software Foundation website was down last Friday after hackers compromised SSH key to one of their main servers.
Secure Shell is a very popular technology that can provides a secure servers remote administration, well if the hackers manage to upload a rootkit or Trojan over the download package of apache website, this can cause a great damage to a huge number of website especially that according to the latest stats from Netcraft more than half of all web servers widely are running Apache.
On Friday Apache Software foundation has made an official note as follows:
On August 27th, starting at about 18:00 UTC an account used for automated backups for the ApacheCon website hosted on a 3rd party hosting provider was used to upload files to minotaur.apache.org. The account was accessed using SSH key authentication from this host.
To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines.
While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided.
Here you can find the screenshot posted by Trendmicro Blog,the identity and reason of this attack still not discovered yet but sharing the information of this incident is very good point and can help to build a solid trust in The Apache Software Foundation.
make sure you subscribe to my RSS feed!
VMware Hosted products update libpng and Apache HTTP Server
Posted by Mourad Ben Lakhoua in News, Vulnerabilities on August 24, 2009
VMware has released new security advisory VMSA-2009-0010, in this advisory there is updates for the VMware Workstation, VMware Player, VMware ACE and a pending updates for VMware Server 1.X and 2.X.
According to the Security advisory descriptions there were discovered in the way third party library libpng handled uninitialized pointers. An attacker could create a PNG image file in such a way, that when loaded by an application linked to libpng, it could cause the application to crash or execute arbitrary code at the privilege level of the user that runs the application. The new version of ACE updates the Apache HTTP Server on Windows hosts to version 2.0.63 which addresses multiple security issues that existed in the previous versions of this server.
So it’s time to apply any necessary updates or workarounds to help mitigate the risks.
make sure you subscribe to my RSS feed!
HTTP DoS-attack tool on Apache web server
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking on June 22, 2009
Robert Hansen, a guru in the field of security, has released a new tool for DoS-attacks, exposing serious Web server’s vulnerabilities including Apache and other servers.
Hansen called his tool Slowloris , the most interesting in this utility that it can cause a DoS attack without using a huge amount of traffic as we usually find in other DoS tools.
According to Hansen typically 1000 machine are required to crash down a web server by bombarding the site with traffic but for Slowloris is not the case because it takes up all the available connection for the server by sending unlimited http requests without closing those connections and this makes Apache waiting for the response too long. Apache web servers do have a limit for number of threads which can be used to deplete the memory and cause defacement.
This vulnerability concerns Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, and Squid, but still not subject to IIS6,IIS7 and lighttpd because these systems deal with the number of open connections.
This tool is available for free on http://ha.ckers.org/slowloris/ but it is important to note that the attack will not work against the large Web sites with load balancing mechanisms 
so just try it locally and it should be used just for the educational purposes.
SUBSCRIBE
