 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 63
 Members: 0
 Total: 63
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 Posted: Fri May 23, 2008 12:46 pm |
 |
|
| pexli |
| Valuable expert |
 |
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
 |
|
 |
|
In dir _vti_pvt have file service.pwd.inside in this file is stored your password hash.
to waraxe
Там Suhosin Extension и много чего сделать почти невозможно.Имхо надо искать по логам где хранятся backup's.В диров других юзеров наверно у него прав не будет.
Вот такое
drwxr-x--- 2 fakeuser nobody 4096 Dec 27 21:32 _vti_pvt
..немного дает надеждъй но наверно на файл service.pwd из nobody не будет прав на просмотр....етц,а если будет прав то сервак можно взять целиком. |
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 1:00 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Yes, it is obvious, that server admin knows about security (hardened php, *bsd opsystem), so probably cross-neighbour attacks are hard to make happen. But this is just guess. Without comprehensive tests it's just speculation, there can be insecurities everywhere 
By the way, this server seems to be full of various users:
http://search.msn.com/results.aspx?q=ip%3A208.87.241.96&FORM=MSNH
 |
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 3:19 pm |
|
|
| Snoop1990 |
| Advanced user |
 |
|
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
Ok about the service.pwd file there was something inside like:
| Code: |
# -FrontPage-
<username>:$3$bhS4wQs1$Jt6Hy/z.ril11CtvCTO299
|
I changed the information, cause as you mentioned it seems like it is my password  md5 .. but I do not use frontpage and I have not placed the files their ...
About the 4th snippet, I only get:
| Code: |
Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory
Parse error: syntax error, unexpected ';' in /home/<username>/public_html/work/4.php on line 13
|
I fixed the code and get:
| Code: | Failed loading /usr/local/IonCube/ioncube_loader_lin_5.2.so: /usr/local/IonCube/ioncube_loader_lin_5.2.so: cannot open shared object file: No such file or directory
-------------------------
/home/saduser
total 88
drwxr-xr-x 12 saduser saduser 4096 May 23 05:56 .
drwxr-xr-x 3 root root 4096 May 23 00:16 ..
-rw-r--r-- 1 saduser saduser 6148 May 23 03:17 .DS_Store
-rw-r----- 1 saduser saduser 4096 May 23 05:40 ._bash_profile
-rw------- 1 saduser saduser 423 May 23 07:05 .bash_history
-rw-r----- 1 saduser saduser 383 May 23 05:40 .bash_profile
-rw------- 1 saduser saduser 27 Mar 4 10:11 .contactemail
drwxr-xr-x 3 saduser saduser 4096 Jan 10 23:52 .cpaddons
drwxr-xr-x 5 saduser saduser 4096 Feb 3 00:56 .cpanel
-rw------- 1 saduser saduser 11 May 23 01:02 .ftpquota
dr--r--r-- 3 saduser saduser 4096 Jan 5 09:40 .htpasswds
-rw------- 1 saduser saduser 14 Feb 3 00:56 .lastlogin
-rw------- 1 saduser saduser 93 Jan 25 16:04 .mysql_history
drwx------ 2 saduser saduser 4096 Jan 1 04:49 .trash
lrwxrwxrwx 1 saduser saduser 31 Jan 12 07:28 access-logs -> /usr/local/apache/domlogs/saduser
-rw-r--r-- 1 saduser saduser 6 Feb 2 00:47 assp_cpanel_log
drwxr-xr-x 5 saduser saduser 4096 Apr 1 05:30 django
drwxr-xr-x 3 saduser saduser 4096 Jan 20 01:31 etc
drwxr-x--- 6 saduser mail 4096 Dec 28 00:31 mail
drwxr-xr-x 3 saduser saduser 4096 May 23 01:02 public_ftp
drwxr-x--- 14 saduser nobody 4096 May 23 03:12 public_html
drwxr-xr-x 7 saduser saduser 4096 Jan 25 15:46 tmp
lrwxrwxrwx 1 saduser saduser 11 Jan 12 07:28 www -> public_html
-------------------------
/home
total 12
drwxr-xr-x 3 root root 4096 May 23 00:16 .
drwxr-xr-x 13 root root 4096 May 23 00:16 ..
drwxr-xr-x 12 saduser saduser 4096 May 23 05:56 saduser
-------------------------
/
total 78
drwxr-xr-x 13 root root 4096 May 23 00:16 .
drwxr-xr-x 13 root root 4096 May 23 00:16 ..
drwxr-xr-x 2 root root 4096 May 22 18:48 bin
-rwxr-xr-x 1 root root 1320 May 23 08:06 checkvirtfs
drwxr-xr-x 11 root root 4160 May 22 23:34 dev
drwxr-xr-x 4 root root 4096 May 23 00:16 etc
drwxr-xr-x 3 root root 4096 May 23 00:16 home
drwxr-xr-x 11 root root 4096 May 23 01:15 lib
drwxr-xr-x 8 root root 4096 May 23 01:15 lib64
drwxr-xr-x 11 root root 4096 May 22 21:17 opt
dr-xr-xr-x 178 root root 0 May 22 23:33 proc
drwxrwxrwt 22 root root 17408 May 23 08:14 tmp
drwxr-xr-x 12 root root 4096 May 23 00:16 usr
drwxr-xr-x 7 root root 4096 May 23 00:16 var
-------------------------
array(7) {
["name"]=>
string(5) "saduser"
["passwd"]=>
string(1) "x"
["uid"]=>
int(43516)
["gid"]=>
int(43518)
["gecos"]=>
string(0) ""
["dir"]=>
string(11) "/home/saduser"
["shell"]=>
string(31) "/usr/local/cpanel/bin/jailshell"
}
-------------------------
|
again I changed my username
the .DS_Store files in here are created from my Mac, while accessing via FUSE.
That's it! about the large number of other users you have seen on the server, that is because it is a free hosting program.
Regrades Snoop1990 |
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 3:37 pm |
|
|
| Snoop1990 |
| Advanced user |
|
|
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
But one more thing, can you please tell me what you are looking for ? Cause I would be very please to be able to do this php security check on my own. So if I switch to another host in future time I do not have to do it all again.
What I understand so far is:
phpinfo(); shows general information about the system, the version and the variables in php, but can you please tell me, which are potential security holes? Which variables have to be disabled ?
The second step was to check for /etc/master.passwd sure if this file is available you can easily get the password by testing the maximum length and if special characters are supported (there are not that much potential MD5s)
then you did some ls, mmh I do not understand this, what are you looking for ? or is it just a try to see if it is possible ?
then you check which directory we are in and then check posix and the globals. So here again, which are insecure ? which should be disabled ?
In the next snippet you check for even more files and again check something with posix ... please just tell me what you are looking for, please ! |
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 7:18 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
It's too many questions for me, i can talk about this issues hours and hours ...
But one thing is clear - your current hosting is secure against cross-neighbour attacks. I mean: if someone hacks into the website, that is hosted on same server, and if attacker gets php code level and opsystem shell level access, then he/she is unable to leverage his presence to other websites. Or vice versa - you have there shell and php access, but you can't read other website's files, right?
Main reason fro such thoughts is bsd Jailing, used in that server. It's kind of sandboxing, and it's not easy to escape it. So this hosting is good from cross-user point of view.
Now that "master.passwd". If you could read it, then it's not fatal. It's not containing password hashes, only usernames, uids, gids and some other stuff. It's just usual test about opsystem files readability. Password hashes are in "master.shadow" file, which can be read only by root user. And those hashes are not usual md5, but >1000 times rehashed hashes. So cracking them is real pain in a$$ and good passes are uncrackable.
There is much more i wanted to talk here, but i'm to tired for today.
See ya |
|
|
|
|
|
|
|
|
| Posted: Fri May 23, 2008 7:28 pm |
|
|
| Snoop1990 |
| Advanced user |
|
|
| Joined: May 22, 2008 |
| Posts: 65 |
|
|
|
|
|
|
|
Thank you for your response that far. If you find some time I would be very pleased if you can teach me something more about security and such things. It is a really interesting topic and I wanted to learn all time, but I did known where to start. Now I found your forum and I am really happy about it. But as I said in another topic I do not want to be one of those script kids who just copy paste code. I want to understand what I am doing and how to prevent myself and others from being hacked. And I think you are the kind of guy who knows a lot about all these so I would be very pleas to learn some of your tricks.
Regrades Snoop1990 |
|
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 2 of 2
Goto page Previous1, 2
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
