Currently we are being inundated with scans and exploits looking for new machines to take over, most of these are using insecure phpmyadmin installs.
If you are unsure if your box has been hacked then the things to look for are similar to this…
Archive for the ‘Security’ Category
Exploited VPS? phpmyadmin?
Thursday, August 19th, 2010Old versions of PHPMyAdmin and Automated Scanning
Monday, August 9th, 2010It has come to our attention that we have had a decent number of alerts about machines scanning on our networks in the last day. All of them have been running hacks from /tmp named things like /tmp/dd_ssh etc. These files are owned and run by the apache user, and on further investigation all put there by an old PHPMyAdmin install.
If you run something like PHPMyAdmin then this is the time to upgrade it. If you get stuck or are unsure in any way then we are happy to help out.
It always pays to keep your system up to date to prevent excessive traffic or downtime.
WordPress Mass Upgrade Script 3.0.1
Monday, August 2nd, 2010This script will search /var/www (changeable in a variable) for any wordpress installs and make sure its upgraded to the latest version.
It will run a backup to /root/wp_upgrade/ of all files and database before doing anything with the site in case of major catastrophe.
It pays to check each site after the upgrade to make sure plugins all worked (and upgrade plugins before the upgrade works also!).
Let me know if you have any bugs at all, or any problems.
Here’s your script to upgrade them all.
wget http://b.ri.mu/files/wordpress-upgrade-3.0.1.sh sh wordpress-upgrade-3.0.1.sh
WordPress & WordPress MU mass upgrade script 3.0
Wednesday, June 23rd, 2010Sorry for the slower than usual update this time. I was rather busy/sidetracked and left it for a day or two before doing it. Since it wasn’t a exploit fix release i figured it wasn’t a major.
Anyway, here goes the new wordpress mass upgrade script. I no longer have a wordpress MU available to test on, it should technically work, but let me know if there are any problems at all with it.
(more…)
Easy Peasy Linux Firewalling – iptables
Tuesday, March 16th, 2010A lot of our customers have asked for firewalls, and since this is a common theme, i decided that I would help them out. Of course it can be a mission to learn how to make your own and what to do or not do, and some of the pre-made ones can be confusing.
So i decided to simplify it a little for you all by writing a firewall script. I originally took a script made by somebody else, then totally modified it to suit myself, then modified it again to suit any machine. You *should* be able to literally drop this in place on any server and have it *just work*.
All you need to do is edit the top couple of lines to set what ports you want open or closed. edit the other options (ie ssh port etc). Full instructions as follows…
wordpress & wordpress MU mass upgrade script 2.9.2
Tuesday, February 16th, 2010Okay, I have rolled the usual ‘upgrade all instances of wordpress’ script.
In this version i finally got around to checking the permissions prior to updating and changing the ownership of them back to that owner afterwards. This was breaking things and could be rather annoying before if you had more than 5 sites to fix permissions on.
Also, I did a database check to make sure your schema is the latest version, if not it will display the upgrade.php link which will do it for you (before it just showed that regardless)
Let me know if you have any bugs at all, or any problems.
Here’s your script to upgrade them all.
wget http://b.ri.mu/files/wordpress-upgrade-2.9.2.sh ; sh wordpress-upgrade-2.9.2.sh
Because the wordpress mu previous version has one less number (it shows up as 2.8.5 rather than 2.9.1.1 ) you may notice that it says
You have version 2.8.5’; located at /path/etc
Just ignore it, its not going to matter. so long as the version isn’t current. it needs to be upgraded 
Whats using all my disk space up?
Thursday, February 4th, 2010Often we get asked by customers ‘What is using up all my disk space on my VPS?’. Usually we track it down to log files not being rotated or email etc.
Here are a few of the commands we use to do that.
Keeping Tabs on Successful Logins
Thursday, December 17th, 2009There are a number of things that any sysadmin should be doing (or is already doing) to keep tabs on the systems they manage. One of the things that I do which is quite simple (read: quick and dirty) is having my server send me a message anytime a user logs into the server. I just pop the following line at the top of /etc/profile to do that:
echo "`whoami` logged in at `date`" | mail -s "`hostname` login" youraddress@example.com
The resulting message would look like this:
root logged in at Wed Dec 16 16:39:37 UTC 2009
It’s not fancy or sophisticated by any stretch of the imagination. Moving your ssh port, limiting access to that port via your packet filter, disabling interactive authentications are among the options to tighten up ssh access so that it doesn’t happen in the first place….but what if. 
My systems do not see very many interactive logins (and they better be me) so the resulting emails are not a burden on my inbox. But if somebody did manage to get a shell on my server, I should see an email giving me a heads u
Quick and easy iptables blocking and firewalling basics
Friday, December 4th, 2009A customer emailed in today had noticed somebody trying to hack or crash his VPS. He tracked it down to one particular IP address but didnt know how to block him.
There are several things you can do to block him, the long term solution and better option is probably using a firewall like iptables.
To block a single IP address with iptables you run the following
iptables -A input -s offendingip -j DROP
This simply drops all packets from that source ip address. This will not be saved at all when you reboot so to do that, you can run the following comands
iptables-save >/etc/iptables-save
This saves your rules all into that file, now you just need a way of importing those rules which would be as follows
iptables-restore < /etc/iptables-save
By adding this to your network up scripts this will auto import them every reboot when your network comes up.
Under RHEL/Centos you can use following commands:
To Save the rules to /etc/sysconfig/iptables file:
# /etc/init.d/iptables save
To Restore the rules from /etc/sysconfig/iptables file:
# /etc/init.d/iptables start
If you are using Debian Linux open /etc/network/interfaces:
# vi /etc/network/interfaces
Append the line to eth0 section:
post-up iptables-restore < /etc/iptables-save
As always, if you get stuck at all, just drop us an email at support, we are only too happy to help out.
apache modules to help keep your system steady
Monday, November 23rd, 2009libapache2-mod-bw – bandwidth limiting module
This module allows you to limit bandwidth usage on every virtual host or directory or to restrict the number of simultaneous connections.
The bandwidth control, for example, can be configured according to the criteria: origin of the connection, file extension, file size or user agent of the client.
Example:
LoadModule bw_module /usr/lib/apache2/modules/mod_bw.so
BandWidthModule On
BandWidth all 40000
MinBandWidth all 10000
ForceBandWidthModule On
libapache2-mod-defensible – module for Apache2 which provides DNSBL usage
mod_defensible implements usage of DNSBL servers to block access to a Web site or to specific locations.
Example:
DnsblUse On
DnsblServers httpbl.abuse.ch sbl-xbl.spamhaus.org
DnsblNameserver 145.253.2.75
libapache2-mod-evasive – evasive module to minimize HTTP DoS or brute force attacks
mod_evasive is an evasive maneuvers module for Apache to provide some protection in the event of an HTTP DoS or DDoS attack or brute force attack.
It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.
Example:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
</IfModule>
Comes with a perl script to test it also.
vps:/etc/apache2/mods-available# perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
libapache2-mod-line-edit – search-and-replace line editor module for apache 2
mod_line_edit is a general-purpose apache 2 filter for text documents. It operates as a simple on-the-fly line editor, applying search-and-replace rules defined in a configuration or .htaccess file. Both simple text and regular expression search and replace are supported.
Example:
SetOutputFilter line-editor
SetEnv LineEdit “text/plain;text/css;text/html”
LELineEnd ANY
LERewriteRule https?://(www\.)?example\.com http://example-development.yoursite.co.nz Ri
Throw something like that into your or somewhere and you instantly fixed all those problem URLS on your development system, without touching the source files at all.
This is ideal to stop/prevent people exploiting various holes in web applications and inserting javascript redirects etc.
Please note: the name of all these modules is debian/ubuntu related. Centos or RedHat based distros may have another name for the same modules. If you need any of these installed just drop an email into the support box and let us know.
