Brief Denial of Service Attack

      We received a brief denial of service attack today, not a distributed type, just a single IP address rapidly requesting Your IP which increased the load on our server enough for forums to stop serving pages.  I blocked the offending IP which was a Road Runner cable modem and sent a complaint to Road Runner, not that I actually expect any action from them.

 

Brief Interruptions in Web Service

     I apologize for the brief interruptions in web service.  I was attempting to troubleshoot a problem with the start up scripts sometimes failing to mount NFS shares.  Right now I have a work-around in place but I really want to find the root cause.

MySQL

     Since we replaced our web server, MySQL under Ubuntu will not authenticate on any remote machine.

     I changed the bind-address from 127.0.0.1, to 0.0.0.0, nmap shows that it is listening to port 3306, however it still will not authenticate.

     I verified that what is in the grant tables, and it’s the same tables as were used on the old server, is correct and it still will not authenticate except from the localhost IP address or the socket.

     I checked the source code and there is an argument that will make it behave this way.  I suspect Ubuntu developers may have done this for security but really it should be up to the individual site how they want to configure it.

     I have filed a bug report on Launch Pad since this functionality is not documented and it is documented that setting the bind-address to 0.0.0.0 will make it listen on all interfaces.

     If this is the intended behavior, fine, they just need to correct the documentation and I will need to compile from source to get the behavior I want, but if not, hopefully they will fix it.

     I prefer to have it work from the shell servers so people can use the standard mysql client to manipulate their databases.  It is far more secure than phpMyAdmin and in my view less painful.

     For now you will need to use phpMyAdmin to administer your database.

It Gets Better

     After battling this machine until 3AM, I went to bed, but had some chest pain.  It continued through the night preventing me from sleeping so went into the doctors to have myself checked out.

     EKG is good, heart sounded good, no immediate threats there, most likely GERD, which can be a problem when I get stressed and last night I definitely was.  But at some point I’m going to have to nap today.

Running Behind

     I’m running behind on e-mail and various customers requests.  I’m working on getting caught up but my workstation decided to throw a monkey wrench into the gear-works by eating it’s drive.  Thus I spent most of the evening restoring to a new drive.  I am back up and running at 3AM which means I’ll be in late this morning.

sshfs

     I’ve had customers who wanted to use the shared folders capability of x2go but were unsuccessful.  I talked to one customer who successfully shared folders between two machines at home but suggested sshfs is easier.

     With either of these, if I attempt to share a directory from my home directory on our servers, it will show the underlying physical disks but not the NFS mounted home directories.

     So far I haven’t found any work-around.  This situation is so common, campus systems for example in which workstation clusters mount home directories via NFS, and then students who want to share to their laptops, etc, that I would think there would be a fix but so far I’ve found none.

     If anybody has gotten this to work, please do share your secret.

Mint Upgrade

     An upgrade of mint.eskimo.com to Rosa 17.3 is in progress.  Please avoid using the machine during the upgrade.  I will post again when it is completed.

Whack-A-Mole Exploit

     There is an exploit going around known as “Whack-A-Mole” that attempts to compromise JavaScript files to cause them to silently upload advertising Malware to an end-users PC as well as to try to find additional sites to infect.

     There are two levels of infection with this exploit, infection of websites and infection of your PC.

     This exploit prefers WordPress websites to infect because it searches for a number of plugins that upload.  You should make sure that execution is disabled in any directory that you permit uploads to.  If you have a plugin that permits uploads, it should install a .htaccess denying execution in that directory (NoExec) but verify this, don’t count on it.

     This exploit also takes advantage of many shared hosting providers poor choice to execute all user code with the web servers’ user ID by crawling the site looking for other JavaScript (.js) files it can infect and if writable adding it’s code to them.

     Please note that here, we DO NOT execute code with the web servers ID, instead we execute each users code with their own ID.  Thus the cross-site infection that is happening on other shared host providers will not happen here as long as you do not provide public write permissions to files.

     Some plugins or web applications will tell you to set the file mode to 666, NEVER EVER DO THAT HERE, IT IS NOT NECESSARY AND IS A SECURITY RISK.  If instructed to set permissions to 666, instead set them to 644.  Because the web server executes scripts with your user ID ONLY OWNER write permissions are ever required.

     I also recommend setting your public_html directory to mode 711 and not 755 as it will prevent another infected site from being able to crawl your directory.  The web server already knows the name of the file(s) it needs so has no need to list your directory.  If you don’t have a need for your home directory to be publicly searchable, I would also recommend setting it to mode 711.

     We also have code in place that looks for queries to where many of these plugins reside and if one attempts to run a non-existent script, blocks the offending IP address.  We also look for bad web authentication attempts.

     Infection with this Malware is invisible, your site will appear to be operating normally while it infects visitors PCs with Adware.  If your site uses JavaScript, I recommend periodic review of your “.js” JavaScript files.

     If you run a WordPress site here, please install the plugin “WP-Fail2ban”.  What this plugin does is log bad WordPress authentication attempts.  Code on this end will then block offending IPs that make three or more attempts.  This will prevent brute force password guessing of your WordPress site.

     If your PC gets infected, you will notice pop-up advertisements.  In this event, my recommendation is to obtain and run MalwareBytes.  Approximately 95% of all the Malware my Windows box has ever been infected with has been discovered by MalwareBytes. I have no affiliation with MalwareBytes.  I’ve just found it to be a very effective product.