Hacked again, tired of b2evolution

Jerry Stuckle wrote:
> Dave wrote:
>> Jerry Stuckle wrote:
>>> Dave wrote:
>>>> Heidi wrote:
>>>>> Els wrote:
>>>>> : Heidi wrote:
>>>>> :
>>>>> Some spamming files were placed in a /tmp folder that was above my
>>>>> account
>>>>> and used to send spam out.
>>>> A truly secure host would not allow a user to write to any directory
>>>> "above
>>>> their account."
>>>>
>>> Untrue. It is the best place to put files you don't want directly
>>> accessible from the web.
>>>
>>
>> I would describe that as being "above the web root." The OP described a
>> situation where files were place above her account's home directory.
>>
>
> Which may be the same thing.
>
>> for example:
>> if the server directorys are
>> /
>> /home/username
>> /home/username/www <-- web root for usename
>> /var
>> /etc
>> /tmp
>>
>> a user shouldn't be able to write data above /home/username
>>
>
> /tmp is always writable by anyone. But I'm not sure she didn't mean
> /home/username/tmp. That part wasn't clear.
>
>> I would even say that /tmp should be mounted 'noexec' that way if
>> somebody
>> does manage to write something there, they can't run any commands/scripts
>> from there.
>>
>
> Possibly. But noexec doesn't affect scripts or commands. Only
> executables.
>
A script that isn't executable is nothing more than plain text. Commands
are nothing more than executable programs that ship with an OS. If you
can't execute them, they don't /do/ anything.

--
Dave
 >> Stay informed about: Hacked again, tired of b2evolution 

Dave <kontos.RemoveThis@myway.com> wrote:

> A script that isn't executable is nothing more than plain text.
> Commands are nothing more than executable programs that ship with an
> OS. If you can't execute them, they don't /do/ anything.

For clarity: if you make a Perl program non-executable (i.e. turn it into
a plain text file) you *still* can execute it by providing it as a
parameter to the perl program. E.g.

perl script.pl

I am sure you two know this, but I just wanted to add it for clarity.
Anyway, this means that it's possible to store a script (language doesn't
matter) in /tmp and that one can execute it if one can feed the script to
the interpreter for the language the script is written in.

If there is somewhere a CGI script that does something (stupid) like
(assuming Perl):

system( "somecommand $ENV{ QUERY_STRING }" );

one can execute a program stored in /tmp .

It wouldn't amaze me if this has been exploited in the real world. Not
implying that this is the case here though.

--
John Bokma http://johnbokma.com/
 >> Stay informed about: Hacked again, tired of b2evolution 

Dave wrote:
> Jerry Stuckle wrote:
>> Dave wrote:
>>> Jerry Stuckle wrote:
>>>> Dave wrote:
>>>>> Heidi wrote:
>>>>>> Els wrote:
>>>>>> : Heidi wrote:
>>>>>> :
>>>>>> Some spamming files were placed in a /tmp folder that was above my
>>>>>> account
>>>>>> and used to send spam out.
>>>>> A truly secure host would not allow a user to write to any directory
>>>>> "above
>>>>> their account."
>>>>>
>>>> Untrue. It is the best place to put files you don't want directly
>>>> accessible from the web.
>>>>
>>> I would describe that as being "above the web root." The OP described a
>>> situation where files were place above her account's home directory.
>>>
>> Which may be the same thing.
>>
>>> for example:
>>> if the server directorys are
>>> /
>>> /home/username
>>> /home/username/www <-- web root for usename
>>> /var
>>> /etc
>>> /tmp
>>>
>>> a user shouldn't be able to write data above /home/username
>>>
>> /tmp is always writable by anyone. But I'm not sure she didn't mean
>> /home/username/tmp. That part wasn't clear.
>>
>>> I would even say that /tmp should be mounted 'noexec' that way if
>>> somebody
>>> does manage to write something there, they can't run any commands/scripts
>>> from there.
>>>
>> Possibly. But noexec doesn't affect scripts or commands. Only
>> executables.
>>
> A script that isn't executable is nothing more than plain text. Commands
> are nothing more than executable programs that ship with an OS. If you
> can't execute them, they don't /do/ anything.
>

What you don't get is that scripts are not executable. The executable
is the interpreter running it.

For instance, PHP scripts are not marked executable. However, the php
interpreter is.

The same is true with shell scripts. They are not executed - but the
shell program is. Leave the executable bit off the shell program and
you have major problems.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.TakeThisOut@attglobal.net
==================
 >> Stay informed about: Hacked again, tired of b2evolution 

On 8 Feb, 20:42, Jerry Stuckle <jstuck... RemoveThis @attglobal.net> wrote:

> What you don't get is that scripts are not executable. The executable
> is the interpreter running it.

> The same is true with shell scripts. They are not executed - but the
> shell program is.

Take some time off from your years of mainframe experience and find a
beginner's guide to Unix shells.
 >> Stay informed about: Hacked again, tired of b2evolution 

On Feb 7, 2:27 pm, Chaddy2222 <spamlovermailbox-sicur... DeleteThis @yahoo.com.au>
wrote:
> On Feb 8, 12:05 am, "Heidi" <blackc... DeleteThis @gmail.com> wrote:
>
>
>
> > Els wrote:
> > : Heidi wrote:
>
> > :
> > :: any better blog scripts out there that don't get hacked by spammers?
> > :
> > : Do you mean spammers getting past your captcha and posting spam
> > : comments, or really your blog itself being hacked?
>
> > No my hosting account/domain was hacked because of the blog script according
> > to the host.
> > Some spamming files were placed in a /tmp folder that was above my account
> > and used to send spam out.
> > The host says the problem is a security hole in the b2evolution script.
>
> > It happened already on one domain which I am trying to fix without
> > success... Now another has gone down for the same reason
> > and my host suspended it ... wish they had told me though.
>
> > The bloom is coming off the rose fast...
>
> > Heidi
>
> Heidi.
> Might I suggest that you move hosts *or better yet install Wordpress
> and use that to blog with.

I second the WordPress advice,
Constantly updated and securely patched.
But you can never be 100% secure, that's a fact of Internet Life ...

Drupal is overkill if you just want Blogging and the learning curve
has made many quit prematurely ...
 >> Stay informed about: Hacked again, tired of b2evolution 

Jerry Stuckle wrote:

[putolin]

>
> What you don't get is that scripts are not executable. The executable
> is the interpreter running it.

Depends on interpretation

>
> For instance, PHP scripts are not marked executable. However, the php
> interpreter is.
>
> The same is true with shell scripts. They are not executed - but the
> shell program is. Leave the executable bit off the shell program and
> you have major problems.
>

Not really, you can use .

example follows

$ pwd
/media/pkg

$ mount
/dev/sda11 on /media/pkg type ext3 (rw,noexec,nodev,noatime,nosuid)

cat myscript

#!/bin/bash
echo "Hello World"

Ok watch closely Jerry.......

$ ./myscript
bash: ./myscript: Permission denied

$ . myscript
Hello World

Go ahead and try it yourself.

--
Dancin in the ruins tonight
Tayo'y Mga Pinoy
 >> Stay informed about: Hacked again, tired of b2evolution 

This message is not archived
 >> Stay informed about: Hacked again, tired of b2evolution 

Andy Dingley wrote:
> On 8 Feb, 20:42, Jerry Stuckle <jstuck....RemoveThis@attglobal.net> wrote:
>
>> What you don't get is that scripts are not executable. The executable
>> is the interpreter running it.
>
>> The same is true with shell scripts. They are not executed - but the
>> shell program is.
>
> Take some time off from your years of mainframe experience and find a
> beginner's guide to Unix shells.
>

You should learn what you're talking about, Andy. I've been doing Unix
shells for nigh on to 18 years now.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex.RemoveThis@attglobal.net
==================
 >> Stay informed about: Hacked again, tired of b2evolution 

On 2008-02-09, Jerry Stuckle <jstucklex RemoveThis @attglobal.net> wrote:

>>> The same is true with shell scripts. They are not executed - but the
>>> shell program is.
>>
>> Take some time off from your years of mainframe experience and find a
>> beginner's guide to Unix shells.
>>
>
> You should learn what you're talking about, Andy. I've been doing Unix
> shells for nigh on to 18 years now.

Jerry's correct, FWIW.


--
Steve Sobol, Victorville, CA PGP:0xE3AE35ED www.SteveSobol.com
Geek-for-hire. Details: http://www.linkedin.com/in/stevesobol
 >> Stay informed about: Hacked again, tired of b2evolution