Securing Your Site

de_boer_man · May 19th, 2005, 2:58 PM

It's been an interesting few days for my site to say the least. I found that my account had been suspended for use of a program called psybnc. What? It was a surprise to me! I had never even HEARD of psybnc until Sam told me why my account was suspended.

When Kayla un-suspended my account, I was able to remove psybnc from its hiding place. I also noticed a cgi script called cgitelnet.pl. It's a program that allows someone to traverse directories, upload/download files, and even execute commands. This was the "back door" that they used to upload psybnc, extract it, and get it up and running.

So... How do I prevent this from happening again?

First of all, I went through every directory and looked at every file in my home directory to make sure that it should be there and that I knew what it was supposed to be doing. (Having a very recent backup in case you accidentally delete something necessary is a good idea.)

Then, I checked all of the directories and files and made sure that their permissions were appropriate. It turns out that I had a couple of world-writable directories. That's probably the way the malware got there in the first place.

Then I changed all of my passwords on my account, just for good measure. If somehow through all of this my passwords were comprimised, they're okay now. It's also a good idea that BEFORE you change your passwords, to make sure that you don't have a keylogger or the like on your local system.

*whew!* I think I'm off to a good start here.

Is there anything else that you can think of that might keep me out of trouble in the future?

Also, just for discussion here:
What permissions do you consider "safe" for directories? for executable scripts? for other files?

**Dave** · May 29th, 2005, 11:29 AM

It's very likely that there's some old software with bugs in it that allow people to exploit it. Psybnc is an IRC (chat) bouncer, that allows people to connect to it and then it makes a connection to an IRC server. It's very common for a scriptkiddie to want to install it.

Do you still have your log files? Try searching for cgitelnet.pl and you might be able to find how that thing snuck onto your account.

About the permissions, it's unfortunate that it has to be world readable for the server program to read it. And if you want the server to be able to write there, it has to be world writable. If you're the author of the script, it's a good idea to use MySQL so others can't read it. Make sure you hide your include file really well, like in a secret name, since others may be able to guess at a file that you might have and try to read it.

Update all the scripts you have... that's the best I can say.

May 19th, 2005, 2:58 PM	#1 (permalink)
de_boer_man Registered User Fresh Surpasser Joined in May 2005 Hosted on sh91 23 posts Gave thanks: 0 Thanked 0 times	Securing Your Site It's been an interesting few days for my site to say the least. I found that my account had been suspended for use of a program called psybnc. What? It was a surprise to me! I had never even HEARD of psybnc until Sam told me why my account was suspended. When Kayla un-suspended my account, I was able to remove psybnc from its hiding place. I also noticed a cgi script called cgitelnet.pl. It's a program that allows someone to traverse directories, upload/download files, and even execute commands. This was the "back door" that they used to upload psybnc, extract it, and get it up and running. So... How do I prevent this from happening again? First of all, I went through every directory and looked at every file in my home directory to make sure that it should be there and that I knew what it was supposed to be doing. (Having a very recent backup in case you accidentally delete something necessary is a good idea.) Then, I checked all of the directories and files and made sure that their permissions were appropriate. It turns out that I had a couple of world-writable directories. That's probably the way the malware got there in the first place. Then I changed all of my passwords on my account, just for good measure. If somehow through all of this my passwords were comprimised, they're okay now. It's also a good idea that BEFORE you change your passwords, to make sure that you don't have a keylogger or the like on your local system. whew! I think I'm off to a good start here. Is there anything else that you can think of that might keep me out of trouble in the future? Also, just for discussion here: What permissions do you consider "safe" for directories? for executable scripts? for other files?

May 29th, 2005, 11:29 AM	#2 (permalink)
Dave Third Plateau Comfy Contributor Joined in Apr 2004 Lives in East Hanover, New Jersey Hosted on Nifty 272 posts Gave thanks: 0 Thanked 0 times	It's very likely that there's some old software with bugs in it that allow people to exploit it. Psybnc is an IRC (chat) bouncer, that allows people to connect to it and then it makes a connection to an IRC server. It's very common for a scriptkiddie to want to install it. Do you still have your log files? Try searching for cgitelnet.pl and you might be able to find how that thing snuck onto your account. About the permissions, it's unfortunate that it has to be world readable for the server program to read it. And if you want the server to be able to write there, it has to be world writable. If you're the author of the script, it's a good idea to use MySQL so others can't read it. Make sure you hide your include file really well, like in a secret name, since others may be able to guess at a file that you might have and try to read it. Update all the scripts you have... that's the best I can say. __________________ site (syberdave.net) - server (nifty)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)